Have htdestroytoken handle CA cert path and file

htdestroytoken

@@ -19,13 +19,20 @@ usage()
 VERBOSE=true
 RMREFRESH=false
 HTGETOPTS=""
+CAFILE=""
+CAPATH="${X509_CERT_DIR:-/etc/grid-security/certificates}"
 for ARG; do
     case $ARG in
         -h) usage;;
         -q) VERBOSE=false; HTGETOPTS="$HTGETOPTS -q";;
         -f) RMREFRESH=true;;
         *)  if $RMREFRESH; then
                 HTGETOPTS="$HTGETOPTS $ARG"
+                if [[ "$ARG" = "--cafile="* ]]; then
+                    CAFILE="${ARG#--cafile=}"
+                elif [[ "$ARG" = "--capath="* ]]; then
+                    CAPATH="${ARG#--capath=}"
+                fi
             else
                 usage
             fi;;
@@ -54,8 +61,15 @@ if $RMREFRESH && [ -f "$VTFILE" ]; then
         echo "  at path $BEARERURL"
     fi
     # be careful to not let the vault token show up in a ps list; send to stdin
+    CURLOPTS="-q -f -m 5"
+    if [ -n "$CAFILE" ]; then
+        CURLOPTS="$CURLOPTS --cacert $CAFILE"
+    fi
+    if [ -n "$CAPATH" ]; then
+        CURLOPTS="$CURLOPTS --capath $CAPATH"
+    fi
     if ! (echo -n "X-Vault-Token: ";cat $VTFILE) | \
-                curl -q -f -m 5 -H @- -X DELETE "$BEARERURL"; then
+                curl $CURLOPTS -H @- -X DELETE "$BEARERURL"; then
         echo "$ME: Unable to delete refresh token" >&2
         exit 3
     fi

htgettoken.spec

@@ -77,6 +77,10 @@ rm -rf $RPM_BUILD_ROOT
 
 # - Have htdecodetoken take advantage of new scitokens-verify ability
 #   to read from stdin, when available.
+# - Add support in htdestroytoken -f for getting a CA cert directory
+#   from ${X509_CERT_DIR:-/etc/grid-security/certificates} or from 
+#   a --capath option, and to get a CA cert file from a --cafile option,
+#   mirroring the behavior of htgettoken.
 
 * Mon Dec  1 2025 Dave Dykstra <dwd@fnal.gov> 2.5-1
 - Add htdestroytoken -f option to force a removal of a refresh token in