RE: manually adding root certificates

To: <debian-user@lists.debian.org>
Subject: RE: manually adding root certificates
From: Arno Schuring <aelschuring@hotmail.com>
Date: Sun, 24 Jul 2011 15:47:05 +0000
Message-id: <[🔎] SNT108-W17915FBE3BFADDFF1C46C3B8300@phx.gbl>
In-reply-to: <[🔎] 20110724173510.7644006c@neminis.loos.site>
References: <[🔎] 20110724173510.7644006c@neminis.loos.site>

[mental note: crtl+enter in claws is a shortcut for "send message". Do not use]

Hi,

does anyone here have experience with adding CA certificates to Debian? My ISP is using "USERTrust Legacy Secure Server CA" as its issuer and that CA does not appear to be included in ca-certificates.

I have not been able to find the corresponding certifcate via UTN's (now Comodo's) website, I had to use a search engine to point me to
tbs-x509.com to find the certificate. So much for trustworthiness... any way, the certificate appears legit since it does complete the
certificate chain:

:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts -CApath .
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy Secure Server CA
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify return:1
[..]
    Verify return code: 0 (ok)

Now, according to /usr/share/doc/ca-certificates/README.Debian I should be able to drop this certificate in /usr/local/share/ca-certificates,
run update-ca-certificates and be done with it. But this does not appear to be sufficient, because I still get this:

:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify error:num=21:unable to verify the first certificate
verify return:1
[..]
    Verify return code: 21 (unable to verify the first certificate)


Oddly enough (for me at least), when I manually specify the CApath to the system default, it does work:
:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts -CApath /etc/ssl/certs/
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy Secure Server CA
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL Legacy/CN=pop3.concepts.nl
verify return:1

:~/tst$ openssl verify /etc/ssl/certs/USERTrustLegacySecureServerCA.pem
/etc/ssl/certs/USERTrustLegacySecureServerCA.pem: OK


So, the correct certificate appears to be installed in /etc/ssl/certs, it appears to be valid, yet I cannot connect unless I specify an explicit path to the certificate file. What am I missing here?


Regards,
Arno

Reply to:

References:
- manually adding root certificates
  - From: Arno Schuring <aelschuring@hotmail.com>

Prev by Date: Seamonkey 2.2 illegal instruction after upgrading to it
Next by Date: Re: OT: Software that will populate a database from csv data?
Previous by thread: manually adding root certificates
Next by thread: Re: manually adding root certificates
Index(es):
- Date
- Thread