Can I overwrite WP’s ca-bundle.crt?
No.
This file and any other files in the wp-includes
folder should never be updated modified or edited unless it’s to replace them with a newer version of WordPress.
If you decide to ignore that and manually update the file anyway there are several consequences:
- on managed hosts this won’t work as WordPress core is handled separately and may not be on the same filesystem and read only. Likewise many enterprise hosts protect these folders through other means that are more structural.
- the file would no longer match the file hash recorded for your version of WordPress, any security plugin would immediatley flag it
- it would be overwritten on update, possibly even on every deploy
- you would lose some WordPress specific backwards compatibility modifications:
## Includes a WordPress Modification - We include the 'legacy' 1024bit. certificates ## for backward compatibility. See https://core.trac.wordpress.org/ticket/34935#comment:10
Importantly though, your system might not be using that certificate bundle at all! This is in the original changeset that introduced it:
This changeset also bundles ca-bundle.crt from the Mozilla project to allow for us to verify SSL certificates on hosts which have an incomplete, outdated, or invalid local SSL configuration.
Instead of updating it on your host, you might consider instead contributing an update to WordPress itself aiming for the next major version ( 6.7 is in beta at the time of writing ). Here’s the history https://github.com/WordPress/WordPress/commits/master/wp-includes/certificates/ca-bundle.crt