The usecase I saw had a hash with Certificate, PKey and X509::Store marshaled. Does the latter work? See sidekiq/sidekiq#4531

Certificate support was done in #281 where my use case was dumping certificates and CRLs in a Rails cache, public/private keys done here fit that as well.

X509::Store doesn't implement to_der and since it allows setting a verify_callback proc/lamdba it's not easily possible either. Outside of using Marshal as a deep cloning mechanism I'm not sure why one would need it in practice. It's a wrapper around an array of trusted certificates (@chain) and some ephemeral verification state.

It seems to me it's safer for Sidekiq to selectively clone objects being scrubbed. Otherwise you keep playing whack-a-mole with random objects not implementing the Marshal interface.