The self-signed certificate documentation needs clarification

[woopla]

I'm following https://docs.n8n.io/hosting/configuration/configuration-examples/custom-certificate-authority/ to add support for internal CAs, and I've got two issues:

1. The external path that's mapped to /opt/custom-certificates needs to be writeable by the container. This prevents mapping the central cert store (in Rocky 8 that's in /etc/ssl/certs or /etc/pki/ca-trust/extracted/pem to avoid symlinks) that is managed by our IT. This means copies are necessary, and we risk getting outdated certs.
2. The c_rehash call is not doing anything anyway when I make a local copy. The location I mentioned above contains a ca-bundle.crt file in PEM format with all the necessary CA certs. As a result, n8n is still unable to validate SSL certs when connecting to our internal services (I've tried our Jira instance, for example).

Could you please expand the docs on using custom CAs? For the first point, it should be explicitly mentioned that write access is necessary. For the second point, I'd like to have a description of the expected certs format for n8n.

[woopla]

Quick follow-up: I was able to get the internal certs working by using NODE_EXTRA_CA_CERTS instead of the methodology in the docs. This has the advantage of not requiring c_rehash to run, so I can point to the single PEM file directly.