What do people use for /sys/lib/tls/ca.pem? I noticed that David added it as the default for Go’s crypt/x509, but do you use a blank, self-signed template, or an actual trusted CA chain?