Comment 3 for bug 1135163

I looked into the debootstrap side of this, and thought about having debootstrap install apt-transport-https if installing from an HTTPS mirror. (At the moment it observes that apt can't handle HTTPS by itself and configures the end result to use an HTTP mirror, although it does manage to do the actual bootstrap from HTTPS.)

The tricky bit here is that we'd also need to copy in any relevant certificates. With the work I've been doing recently (https://lists.debian.org/debian-boot/2014/02/msg00084.html etc.), it's possible to build d-i with the necessary certificates for your local mirror, so they'll be in /usr/lib/ssl/certs/; we could just copy the contents of that directory across. On the other hand, if you're debootstrapping from a full Unix system which just happens not to have the Debian keyring installed, there might be quite a lot of certificates in that directory, and we can't tell which is used.

To avoid this problem, I think it's best to handle the installation of apt-transport-https and the certificate copying in base-installer instead. That way we know it's d-i-specific and that any certificates we find are ones that the person who prepared the installation medium explicitly wanted.