Re: manually adding root certificates

To: debian-user@lists.debian.org
Subject: Re: manually adding root certificates
From: Arno Schuring <aelschuring@hotmail.com>
Date: Tue, 26 Jul 2011 21:22:47 +0200
Message-id: <[🔎] 20110726212247.52d8a421@neminis.loos.site>
In-reply-to: <[🔎] pan.2011.07.24.16.48.01@gmail.com>
References: <[🔎] 20110724173510.7644006c@neminis.loos.site> <[🔎] pan.2011.07.24.16.48.01@gmail.com>

Hi,

apologies for the delay, your response did an ACME ink on me :)

Camaleón (noelamac@gmail.com on 2011-07-24 16:48 +0000):
> On Sun, 24 Jul 2011 17:35:10 +0200, Arno Schuring wrote:
> 
> > does anyone here have experience with adding CA certificates to
> > Debian? My ISP is using "USERTrust Legacy Secure Server CA" as its
> > issuer and that CA does not appear to be included in
> > ca-certificates.
> 
> (...)
> 
> > Now, according to /usr/share/doc/ca-certificates/README.Debian I
> > should be able to drop this certificate
> > in /usr/local/share/ca-certificates, run update-ca-certificates and
> > be done with it. But this does not appear to be sufficient, because
> > I still get this:
> 
> (...)
> 
> Just for testing purposes... have you tried to drop the cert file
> under "/usr/share/ca-certificates" (I mean, instead using the
> "local" dir) and then run "update-ca-certificates"?

Yes. Dropping it there had no effect, until I explicitly added the
filename to ca-certificates.conf. Then, it had the same effect as
adding it to /usr/local (I actually went that route before RTFM, as a
good admin should :)

> 
> (...)
> 
> > :~/tst$ openssl
> > verify /etc/ssl/certs/USERTrustLegacySecureServerCA.pem /etc/ssl/certs/USERTrustLegacySecureServerCA.pem:
> > OK
> 
> ls -l /etc/ssl/certs | grep -i usertrust
lrwxrwxrwx 1 root root    33 Jul 24 17:30 cf831791.0 ->
USERTrustLegacySecureServerCA.pem
lrwxrwxrwx 1 root root    66 Jul 24 17:30
USERTrustLegacySecureServerCA.pem
-> /usr/local/share/ca-certificates/USERTrustLegacySecureServerCA.crt

To make matters more interesting, it would appear that fetchmail
accepts the certificate even though openssl still complains that it is
unable to verify the signature. I've now done the same test with
gmail's service, and I get roughly the same result:


$ openssl s_client -connect pop.gmail.com:995 -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0

$ openssl s_client -connect pop.gmail.com:995 -showcerts
-CApath /etc/ssl/certs CONNECTED(00000003)
depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google
Inc/CN=pop.gmail.com verify return:1


So I guess the original question is solved, "put the certificate
in /usr/local/share/ca-certificates" is really the correct solution.
But then there are two more questions open:
- why does openssl respond differently when I specify a CApath that
should be the system default?
- what is the correct way to check whether a ca-certificate is
installed correctly?


Regards,
Arno

Reply to:

Follow-Ups:
- Re: manually adding root certificates
  - From: Camaleón <noelamac@gmail.com>

References:
- manually adding root certificates
  - From: Arno Schuring <aelschuring@hotmail.com>
- Re: manually adding root certificates
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: installing debian from USB... IS IT POSSIBLE?
Next by Date: Re: Whitespace problem with bash script for Icedove
Previous by thread: Re: manually adding root certificates
Next by thread: Re: manually adding root certificates
Index(es):
- Date
- Thread