(no title)

Its often a case of its fine until it isn't and different organisations handle it differently. Python requests installed via pip will use its own truststore, but installed via rpm it will automatically use the system store. Amazon Corretto JDK also installs its own truststore, so you have to correct that. Running thirdparty applications often comes with trouble, too.

More recently, we've been bitten by a JDK bug[0] that prevents Java from correctly interpeting Name Constraints.

[0] https://bugs.openjdk.org/browse/JDK-8311546