manually adding root certificates

To: debian-user@lists.debian.org
Subject: manually adding root certificates
From: Arno Schuring <aelschuring@hotmail.com>
Date: Sun, 24 Jul 2011 17:35:10 +0200
Message-id: <[🔎] 20110724173510.7644006c@neminis.loos.site>

Hi,

does anyone here have experience with adding CA certificates to Debian?
My ISP is using "USERTrust Legacy Secure Server CA" as its issuer and
that CA does not appear to be included in ca-certificates.

I have not been able to find the corresponding certifcate via UTN's
(now Comodo's) website, I had to use a search engine to point me to
tbs-x509.com to find the certificate. So much for trustworthiness...
any way, the certificate appears legit since it does complete the
certificate chain:

:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts
-CApath .
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy Secure Server CA
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify return:1
[..]
    Verify return code: 0 (ok)

Now, according to /usr/share/doc/ca-certificates/README.Debian I should
be able to drop this certificate in /usr/local/share/ca-certificates,
run update-ca-certificates and be done with it. But this does not
appear to be sufficient, because I still get this:

:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify error:num=21:unable to verify the first certificate
verify return:1
[..]
    Verify return code: 21 (unable to verify the first certificate)


Oddly enough (for me at least), when I manually specify the CApath to
the system default, it does work:
:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts -CApath /etc/ssl/certs/
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy Secure Server CA
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify return:1

:~/tst$ openssl verify /etc/ssl/certs/USERTrustLegacySecureServerCA.pem
/etc/ssl/certs/USERTrustLegacySecureServerCA.pem: OK

Reply to:

Follow-Ups:
- RE: manually adding root certificates
  - From: Arno Schuring <aelschuring@hotmail.com>
- Re: manually adding root certificates
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Icedove 5.0 - when?
Next by Date: Re: Icedove 5.0 - when?
Previous by thread: Re: Icedove 5.0 - when?
Next by thread: RE: manually adding root certificates
Index(es):
- Date
- Thread