Just a warning -- the Dec 2014 release of Mozilla::CA removes one (or more) root CAs that are still in use by SSL certs in the wild, including Flickr, Paypal and Amazon AWS. Discovered while trying to work out why I was getting so many failure reports from CPAN.