Actually I wouldn’t want to add each certificate to make it trusted. It would be more elegant to just add the certificate of my own CA, which would then make all certificates trusted that have been signed by the CA.
But if that is not possible, adding each certificate to make it trusted would be acceptable.
I guess this is used for authenticated scans, where the login would be using a certificate, such as for some web services. However this is very probably not what I am looking for (and I saw it before I wrote my post).
this needs clarification. the descriptions says: “untrusted and/or dangerous CA” the part “untrusted” doesn’t necessarily sound like a blacklisted CA, just one that is not signed by a known trusted CA.
the concrete CA looks like it is just a unregistered CA generated on the fly by the TrueNAS system.
OK the test is kind of prone for false positives because one pattern it loks for is “localhost”. That can be something bad, but does not have to be. In this case the TrueNAS application has a local CA that is able to create certificates. the local CA is also dynamically created. This is why it has CN=localhost. They probably shoul dbetter be using the actual hostname, but in any way this is not a dangerous or malicious CA. Of course one needs to know what to do and not to do with these certificates.
Nevertheless, it would make sense to have a user definable whitelist of certificates that have been checked to be non-malicious.
This is my take on this, your opinion might be different. Thats OK.