<hr /><i>ben added on 2011-06-20 07:12:46 UTC:</i><br />
The ben-testing branch (which includes a competing implementation of SSL client and server certificate management) has an extra ssl-ca-location setting. This calls SSL_CTX_load_verify_locations().

I'm not entirely convinced that fossil should be doing any certificate management. At least, not the way it's doing it now. Perhaps storing the fingerprint of the certificate, rather than the certificate itself, might be the way to go.