|
On 13.04.2019 21:20, Tyler A wrote:
Yes, my mistake, I've neglected that and now was able to repro your issue.On 13/4/19 3:57 pm, Alexander V. Makartsev wrote:On 13.04.2019 19:40, Tyler A wrote:Hi, I had trouble visiting these two websites in Firefox, Epiphany and verifying with OpenSSL. - Births Deaths and Marriages (Government of South Australia) https://bdm.cbs.sa.gov.au/bdmsaonline/dbweb.asp?dbcgm=1&prprc=oac - Hostplus Superannuation Fund https://hostplus.com.au/ ...I can access both sites without any problems with my browser (Firefox).Keep in mind, you must do this in a new profile. If you've ever visited a website which has used the certificate it will be cached, and the site will work. As for your question about certificate installation. Apparently (I hope somebody will correct me on that), p11-kit doesn't provide a writable software pkcs#11 token for user to add/remove CA certificates, but 'gnome-keyring' does, and you should use it if you want to work with personal certificates, private keys, etc. However, most applications won't recognize the objects from gnome-keyring pkcs#11 module automatically and should be configured to use it by providing correct pkcs#11 module URI. So, that aside, in order to add CA certificates to "System Trust" token, provided by "p11-kit-trust" pkcs#11 module, you have to use "update-ca-certificates" utility. 1. Download CA certificates. 2. Process them with "openssl" to make them trusted and put them in special folder recognized by "update-ca-certificates" utility. $ sudo openssl x509 -inform der -in ./ThawteRSACA2018.crt -trustout -out /usr/local/share/ca-certificates/ThawteRSACA2018.crt $ sudo openssl x509 -inform der -in ./GeoTrustRSACA2018.crt -trustout -out /usr/local/share/ca-certificates/GeoTrustRSACA2018.crt 3. Start "update-ca-certificates" utility $ sudo update-ca-certificates -f 4. Check that certificates were added with "trust" utility. $ trust list --filter=ca-anchors --purpose=server-auth | egrep "GeoTrust RSA CA 2018|Thawte RSA CA 2018" label: GeoTrust RSA CA 2018 label: Thawte RSA CA 2018 That is it. Now a few remarks. Mozilla Firefox uses it's own NSS DB to store certificates and don't use other pkcs#11 modules and tokens, such as "System Trust", by default, so you have to configure it. In Firefox browser, open "Preferences" >> "Privacy & Security", click "Security Devices" and click "Load". Type in module name and module path: Name: "p11-kit-trust PKCS#11 Module" Path: "/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so" New module should appear on the left pane with "System Trust" token. If you select it, it will have "/etc/ssl/certs/ca-certificates.crt" in its Description. After that, problem sites should work without any additional actions. Any program that automatically uses compiled certificates in "/etc/ssl/certs/ca-certificates.crt" (updated by "update-ca-certificates"), like curl, wget, openssl, etc, should work with those sites too. Additionally you can specify a pkcs#11 token URI to use in their command line parameters: $ p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module Manufacturer: PKCS#11 Kit Model: p11-kit-trust Serial: 1 Module: p11-kit-trust.so I got the same certificates from a European VPN as I did from in Australia (not what you got) which appears to be a CDN. -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀ |