Configuring the RHCOS system-wide CA trust store

Issue

Just like in RHEL and other major Linux distributions, RHCOS uses the 'ca-certificates' package and thus bundles in the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI (the default trust bundle has ~140 CAs). Limiting trust to only what is required has been a long-standing good security practice and if you wish to perform some additional security hardening and remove some of the trusted CAs it is possible to do so as documented here. However, as RHCOS is managed in an immutable fashion changes to the OS have to be done through machine config.

The concern is that one of these CAs could sign fraudulent certificates, which could then be used to trick a service into trusting a MITM or otherwise fraudulent service. However, if/when that is done, it would mean that the world is equally vulnerable at the same time. The likelihood of this could be classed as low, however, it's arguably still worth doing especially in regulated industries and organisations which dictate strict security policies.

Red Hat Enterprise Linux Root Certificate Authority Frequently Asked Questions