Re: About GPG-signing the public RSA keys of Debian machines
Kurt Roeckx <kurt@roeckx.be> wrote:
> The certificate for db.debian.org is still signed by the old key.
Mmmm.
>> > They're both part of the ca-certificates package in testing and
>> > unstable:
>> > new: /etc/ssl/certs/SPI_CA_2006-cacert.pem
>> > old: /etc/ssl/certs/spi-ca.pem
>>
>> It appears that http://www.spi-inc.org/secretary/spi-ca.crt and
>> /etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files.
>> Why do they have different extensions? This is very confusing.
>
> So you need /etc/ssl/certs/spi-ca.pem, and not
whose fingerprints are GPG-signed here:
http://www.spi-inc.org/secretary/spi-ca-old-fingerprint.txt
(by Wichert Akkerman). Good.
> /etc/ssl/certs/SPI_CA_2006-cacert.pem. Importing that works for me, but
> I suggest you import both now.
OK, this works fine.
> "pem" is the file format, and most files in /etc/ssl/certs have that
> extention, certificates will be in that file format. The .crt
> extention is ussually used to say it's a certicate, and not the
> private key or something.
Hmmm, I see. Still a mess, though...
> See man x509(1ssl). openssl has alot of subcommands, each having it's
> own manpage. If you don't know what you're looking for, it might be
> hard to find.
Quite true. Once, I started reading openssl(1ssl), but found that very
difficult to understand if you aren't already knowledgeable about SSL,
certificates and such.
Thanks for the pointers!
--
Florent
Reply to: