I think perhaps LOCALCERTS might be a shorter option name, unless other ports use are using LOCALBASE_CACERTS as a convention

This doesn't check at all whether ${LOCALBASE}/etc/ssl/cacerts exists or not. It doesn't on my machine, for example. TZUPDATE looks at first glance like it has the same problem, but it adds a dependency on java-zoneinfo, which ensures the zoneinfo data is available. If it didn't exist and I set this option, would I get an empty set of cacerts? That seems bad.

This is unintentionally on purpose. The idea is that the admin can place it by some means (I have a custom port, others drop of manually). If you pick this option you know what you do.
What do you prefer to see? Test for existence and then fail? If yes, this means that this port cannot be build independently of the admin dropping the file. In poudriere this adds an unnecessary obstacle.

Custom port:

PORTNAME=       nss-siemens-cacerts-java
PORTVERSION=    20230814
CATEGORIES=     security
DISTFILES=
 
MAINTAINER=     michael.osipov@siemens.com
COMMENT=        Collection of CA certificates trusted by NSS and Siemens for Java
 
NO_ARCH=        yes
NO_BUILD=       yes
NO_TEST=        yes
 
WRKSRC=         ${FILESDIR}
SSLDIR=         ${PREFIX}/etc/ssl
 
PLIST_SUB=      SSLDIR=${SSLDIR}
 
do-install:
        @${MKDIR} ${STAGEDIR}${SSLDIR}
        @${INSTALL_DATA} ${WRKSRC}/cacerts.jks ${STAGEDIR}${SSLDIR}/cacerts
 
.include <bsd.port.mk>

Let me know what you think.

My preference would be that if ${LOCALBASE}/etc/ssl/cacerts doesn't exist, and the option is on, then we either error the build (preferred) or don't install the symlink. Either of those makes it less likely that a user shoots themselves in the foot and ends up with an empty cacerts. I don't think it's too much to want a user who knows what they are doing to install the custom cacerts first.

I see, but how to build the package then in poudiere if I cannot depend on my custom port or manually dropping of the file ${LOCALBASE}/etc/ssl/cacerts? poudriere testport will always fail.

Sorry for not responding earlier, things have been hectic and I just saw this update. It seems like you're focusing this change on the situation where you have a custom port that installs your own set of certificates? If so, then maybe the best option is to just keep this change local and not commit it to the public ports tree. That way you can build packages locally in the configuration you want, without exposing the broader community of FreeBSD users to the possibility of installing the port without any certificate authority. Yes, that is more painful for you, but removes the risk of a bad install for other users.

If you want to go ahead with it in its current form, then the only other thing I can think of is to make it very clear from the option name and description that this is dangerous and not recommended. Overall I'm uncomfortable with the idea of an option that looks innocuous but will by default create a broken install. Users shouldn't have to read the port Makefile details to figure out that the option isn't safe and is strictly for experts supporting custom installations. Experts can then read the Makefile and decide to use it, aware of the risks.

True, it was never meant for the faint of heart. I have two counter-proposals which you might consider better than this one:

1. Turn this rather into a build variable similar like in 743dbb8f6fce110d31bff7ccf2652396cb53868a to a make.conf variable, e.g., OPENJDK_CACERTS_PATH which will be used to symlink. This makes it crystal clear for people that is not default and one cannot select it by accident and leave you with broken OpenJDK installation.
2. Create e new port, e.g., security/openjdk-cacerts-craeator. It will contain a single class which will turn /etc/ssl/certs to /etc/ssl/cacerts (truststore). It will be invoked at pkg-install and certlctl(8) will invoke it when java is on PATH and the class in LOCALBASE. Invoking keytool(1) isn't an option because you need one invocation per CA cert and it will take forever.

The first one is cheap. The second one is the most elegant until OpenSSL 3.2 lands in base, but it requires more effort and until the change in certlctl(8) lands in 13.3 and 14.1 base it will take long.

I am willing to work option two if people are willing to review the port and the change in certctl(8).

I'm ok with approach number 1. I don't know if it is worth investing in the second approach now if you anticipate that OpenSSL 3.2 will impact that approach and is due in a few months.

Great, I will change the code acordingly.