Re: About GPG-signing the public RSA keys of Debian machines

To: debian-security@lists.debian.org, debian-admin@lists.debian.org
Subject: Re: About GPG-signing the public RSA keys of Debian machines
From: Florent Rougon <f.rougon@free.fr>
Date: Wed, 11 Oct 2006 23:54:24 +0200
Message-id: <[🔎] 873b9uy0vj.fsf@florent.maison>
Mail-followup-to: debian-security@lists.debian.org, debian-admin@lists.debian.org
In-reply-to: <[🔎] 20061011211735.GA9876@roeckx.be> (Kurt Roeckx's message of "Wed, 11 Oct 2006 23:17:35 +0200")
References: <[🔎] 871wph1he2.fsf@florent.maison> <[🔎] 20061010171546.GA17072@roeckx.be> <[🔎] 87r6xg0wr6.fsf@florent.maison> <[🔎] 20061010221616.GA22693@roeckx.be> <[🔎] 87wt768xo6.fsf@florent.maison> <[🔎] 20061011211735.GA9876@roeckx.be>

Kurt Roeckx <kurt@roeckx.be> wrote:

> The certificate for db.debian.org is still signed by the old key.

Mmmm.

>> > They're both part of the ca-certificates package in testing and
>> > unstable:
>> > new: /etc/ssl/certs/SPI_CA_2006-cacert.pem
>> > old: /etc/ssl/certs/spi-ca.pem
>> 
>> It appears that http://www.spi-inc.org/secretary/spi-ca.crt and
>> /etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files.
>> Why do they have different extensions? This is very confusing.
>
> So you need /etc/ssl/certs/spi-ca.pem, and not

whose fingerprints are GPG-signed here:

  http://www.spi-inc.org/secretary/spi-ca-old-fingerprint.txt

(by Wichert Akkerman). Good.

> /etc/ssl/certs/SPI_CA_2006-cacert.pem.  Importing that works for me, but
> I suggest you import both now.

OK, this works fine.

> "pem" is the file format, and most files in /etc/ssl/certs have that
> extention, certificates will be in that file format.  The .crt
> extention is ussually used to say it's a certicate, and not the
> private key or something.

Hmmm, I see. Still a mess, though...

> See man x509(1ssl).  openssl has alot of subcommands, each having it's
> own manpage.  If you don't know what you're looking for, it might be
> hard to find.

Quite true. Once, I started reading openssl(1ssl), but found that very
difficult to understand if you aren't already knowledgeable about SSL,
certificates and such.

Thanks for the pointers!

-- 
Florent

Reply to:

References:
- About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Florent Rougon <f.rougon@free.fr>
- Re: About GPG-signing the public RSA keys of Debian machines
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: About GPG-signing the public RSA keys of Debian machines
Next by Date: Please change my eMail address
Previous by thread: Re: About GPG-signing the public RSA keys of Debian machines
Next by thread: Re: About GPG-signing the public RSA keys of Debian machines
Index(es):
- Date
- Thread