Re: About GPG-signing the public RSA keys of Debian machines

To: debian-security@lists.debian.org, debian-admin@lists.debian.org
Subject: Re: About GPG-signing the public RSA keys of Debian machines
From: Kurt Roeckx <kurt@roeckx.be>
Date: Wed, 11 Oct 2006 23:17:35 +0200
Message-id: <[🔎] 20061011211735.GA9876@roeckx.be>
In-reply-to: <[🔎] 87wt768xo6.fsf@florent.maison>
References: <[🔎] 871wph1he2.fsf@florent.maison> <[🔎] 20061010171546.GA17072@roeckx.be> <[🔎] 87r6xg0wr6.fsf@florent.maison> <[🔎] 20061010221616.GA22693@roeckx.be> <[🔎] 87wt768xo6.fsf@florent.maison>

On Wed, Oct 11, 2006 at 09:22:49PM +0200, Florent Rougon wrote:
> Hi,
> 
> I appreciate your help (Joerg, David and Kurt), but there is still a
> problem to solve before I can trust my connection to db.debian.org via
> HTTPS.
> 
> Kurt Roeckx <kurt@roeckx.be> wrote:
> 
> > So Joerg just replaced them with the new ones:
> > http://www.spi-inc.org/secretary/spi-ca.crt
> > http://www.spi-inc.org/secretary/spi-ca.crt.fingerprint.txt
> 
> OK, I downloaded these, verified the first using the second, and
> imported the first one in both firefox and galeon.
> 
> Then, when I point galeon or firefox to https://db.debian.org/, I get
> the usual message saying the certificate is not trusted. The reason is
> that the certificate I imported
> (http://www.spi-inc.org/secretary/spi-ca.crt) is *not* the same as the
> one advertised by db.debian.org: the former expires in 2016 (!) and has
> the following SHA1 fingerprint:

The certificate for db.debian.org is still signed by the old key.

> > They're both part of the ca-certificates package in testing and
> > unstable:
> > new: /etc/ssl/certs/SPI_CA_2006-cacert.pem
> > old: /etc/ssl/certs/spi-ca.pem
> 
> It appears that http://www.spi-inc.org/secretary/spi-ca.crt and
> /etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files.
> Why do they have different extensions? This is very confusing.

So you need /etc/ssl/certs/spi-ca.pem, and not
/etc/ssl/certs/SPI_CA_2006-cacert.pem.  Importing that works for me, but
I suggest you import both now.

"pem" is the file format, and most files in /etc/ssl/certs have that
extention, certificates will be in that file format.  The .crt
extention is ussually used to say it's a certicate, and not the
private key or something.

Afaik, most files in /usr/share/ca-certificates will have a .crt
extention, and most files in /etc/ssl/certs/ will have a .pem extention
and be a symlink to file in /usr/share/ca-certificates.

> >>   % md5sum /etc/ssl/certs/spi-ca.pem
> >>   33922a1660820e44812e7ddc392878cb  /etc/ssl/certs/spi-ca.pem
> >
> > As pointed out by others, you can get to it using openssl.
> 
> I had thought about that, but grepping for fingerprint in openssl(1ssl)
> doesn't bring anything. :-(

See man x509(1ssl).  openssl has alot of subcommands, each having it's
own manpage.  If you don't know what you're looking for, it might be
hard to find.

Kurt

Reply to:

Follow-Ups:
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>

References:
- About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>

Prev by Date: Re: About GPG-signing the public RSA keys of Debian machines
Next by Date: Re: About GPG-signing the public RSA keys of Debian machines
Previous by thread: Re: About GPG-signing the public RSA keys of Debian machines
Next by thread: Re: About GPG-signing the public RSA keys of Debian machines
Index(es):
- Date
- Thread