>If you don't trust the official client, why do you trust them to be your certificate authority?

I took the OP to mean e.g. editing configuration files correctly, rather than a question of the code itself being compromised.

In other words, a concern about day-to-day coding rather than security.