This can be run as root or normal user with no problem; if they hadn't twisted the WITHOUT_CAROOT knob, we'll attempt to use the host certctl to rehash the DESTDIR. This would allow one to build systems WITHOUT_OPENSSL + WITH_CAROOT with a populated /etc/ssl that they can then use with an appropriate *ssl from somewhere else.

Currently, I am not asking to make certctl+openssl+libs a bootstrap-tool, as I don't think this will be a common issue; we'll just let those folks that don't have a host certctl know that we're not rehashing so that they can take later action if they so desire.