It would be desirable to allow adding system-wide certificates to an Ubuntu Core system, one example is the way some organisations use Docker with self-signed certs. To enable this we would need to make /etc/ssl/certs/ca-certificates.crt writeable or make it a symlink to something writable (e.g. /etc/writeable). We also need a directory where new certs can be added (probably /var/lib/snapd/certs). Certs could be added on snap installation and removed on snap removal, either by themselves (some kind of hook i.e. configure) or probably the better option, by snapd itself. After a new cert is added we need to call update-ca-certificates. We could protect access to this functionality either via an assertion or through a restricted interface.
What do you think?