Allow extending HTTP client trust bundle with additional CA certs from a directory

[reinkrul]

Problem

The HTTP client (used for OAuth2 endpoints, OpenID4VCI/VP, etc.) trusts the OS CA bundle. That bundle in the Nuts node Docker image doesn't include the CAs of the AORTA-GtK issuer. Current workaround: rebuild the Docker image with ca-certificates installing the extra CAs — annoying for every new trust anchor.

Note: this is distinct from tls.truststorefile, which is the Nuts trust bundle for gRPC (PKIOverheid). We do not want to conflate the two.

Proposal

Let the HTTP client load additional trusted CAs from a configured directory at startup, appended to the OS-sourced pool.

• Config key under the existing httpclient.* namespace, e.g. httpclient.tls.extracertsdir.
• Docker image: default to a known path (e.g. /etc/nuts/http-trust.d/) mountable as a volume — drop PEM files in, restart, done.
• Native binary: directory is optional; missing directory is not an error.
• Load all *.pem / *.crt files; log subject + SHA-256 fingerprint of each added CA for auditability.

Out of scope

• Hot reload (restart is fine).
• Affecting the gRPC trust bundle (tls.truststorefile).
• Per-endpoint trust scoping.

Context

Surfaced while integrating with AORTA-GtK; patched by rebuilding the image — not sustainable.

[reinkrul]

Configuration instructions must also be added to the LSPxNuts guide