-# Put client certificates into their own package so we can avoid
-# duplicates of them for e.g. cluster clients. Longer term this
-# will need to be revisited.
-PACKAGE_BEFORE_PN += "${PN}-client-certificates"
+# Put certificates into their own packages so we can avoid duplicates
+# of them for e.g. cluster clients, and so downstream users can
+# replace them with their own certificates.
+#
+# NOTE:
+# Downstream users can replace these packages with alternates by
+# having their packages set their RPROVIDES to include the desired
+# kuksa-val-certificates-* and explicitly adding their package(s)
+# to an image, they will end up getting priority during rootfs
+# construction and installed instead of the default ones here.
+
+PACKAGE_BEFORE_PN += "${PN}-certificates-ca ${PN}-certificates-server ${PN}-certificates-client"