I'm not sure, if this is what I really want. If I install security/ca_root_nss from ports then I have in /usr/local/share/certs just one certificate. Normally, an internet browser needs many more CA root certificates.
It's all those root (and it think some intermediates too) certificates combined into one file and it's enough to verify any certificate the browser may be presented by a https site. Linux distros tend to split that file into many individual certificate files for slightly faster access.