Re: Correct way to install Intermediate certificates in Debian
On 15/4/19 11:36 am, Alexander V. Makartsev wrote:
>> On 13.04.2019 23:21, Tyler A wrote:
>> I found a temporary solution that at least lets me visit the sites in Firefox.
>>
>> However this doesn't fix OpenSSL (thus things like curl, wget).
>>
>> #!/usr/bin/env bash
>>
>> sudo apt-get install libnss3-tools
>>
>> downloadCerts=(http://cacerts.thawte.com/ThawteRSACA2018.crt
>> http://cacerts.geotrust.com/GeoTrustRSACA2018.crt)
>>
>> wget -c "${downloadCerts[@]}"
>>
>> for f in *.crt; do
>> fbasename=${f%.crt}
>> openssl x509 -inform der -outform pem -in "$f" -out "$fbasename".pem
>> find ~ -name cert9.db -printf '%h\0' |
>> while IFS= read -rd '' certDir; do
>> certutil -A -n "${fbasename}" -t "TCu,Cuw,Tuw" -i "${fbasename}".pem -d sql:"$certDir"
>> done
>> done
>
> This script imports certificates into Mozilla Firefox own NSS DB.
> You can do the same procedure more easily in Firefox GUI with
> "Certificate Manager". ("Preferences" >> "Privacy & Security", click
> "View Certificates")
Yes I know. I wrote it :), it was a improved version of https://stackoverflow.com/a/48424709
On 15/4/19 11:29 am, Alexander V. Makartsev wrote:
> Yes, my mistake, I've neglected that and now was able to repro your issue.
> As for your question about certificate installation. Apparently (I hope somebody will correct me on that),
> p11-kit doesn't provide a writable software pkcs#11 token for user to add/remove CA certificates, but
> 'gnome-keyring' does, and you should use it if you want to work with personal certificates, private keys, etc.
Ah yes. I have that and gnome-keyring and polkit-gnome on my Archlinux machine.
I should mention, it appears hostplus.com.au has fixed their site and it
now issues the certificate so we can no longer test against that.
If you look at the ssllabs.com test it now says (whereas they were both
Incomplete before.
Sent by server GeoTrust RSA CA 2018
Chain issues Incorrect order, Contains anchor
Whereas if you look at bdm.cbs.sa.gov.au
Extra download Thawte RSA CA 2018
Chain issues Incomplete
The latter one still doesn't work so we can test with that.
> However, most applications won't recognize the objects from gnome-keyring pkcs#11 module automatically and
> should be configured to use it by providing correct pkcs#11 module URI.
>
> So, that aside, in order to add CA certificates to "System Trust" token,
> provided by "p11-kit-trust" pkcs#11 module,
> you have to use "update-ca-certificates" utility.
> 1. Download CA certificates.
> 2. Process them with "openssl" to make them trusted and put them in special folder recognized by "update-ca-certificates" utility.
> $ sudo openssl x509 -inform der -in ./ThawteRSACA2018.crt -trustout -out /usr/local/share/ca-certificates/ThawteRSACA2018.crt
> $ sudo openssl x509 -inform der -in ./GeoTrustRSACA2018.crt -trustout -out /usr/local/share/ca-certificates/GeoTrustRSACA2018.crt
>
> 3. Start "update-ca-certificates" utility
> $ sudo update-ca-certificates -f
>
> 4. Check that certificates were added with "trust" utility.
> $ trust list --filter=ca-anchors --purpose=server-auth | egrep "GeoTrust RSA CA 2018|Thawte RSA CA 2018"
> label: GeoTrust RSA CA 2018
> label: Thawte RSA CA 2018
>
> That is it. Now a few remarks. Mozilla Firefox uses it's own NSS DB to store certificates and don't use other pkcs#11 modules and tokens, such as "System Trust", by default, so you have to configure it.
> In Firefox browser, open "Preferences" >> "Privacy & Security", click "Security Devices" and click "Load".
> Type in module name and module path:
> Name: "p11-kit-trust PKCS#11 Module"
> Path: "/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so"
> New module should appear on the left pane with "System Trust" token. If you select it, it will have "/etc/ssl/certs/ca-certificates.crt" in its Description.
> After that, problem sites should work without any additional actions.
>
> Any program that automatically uses compiled certificates in "/etc/ssl/certs/ca-certificates.crt" (updated by "update-ca-certificates"), like curl, wget, openssl, etc, should work with those sites too.
> Additionally you can specify a pkcs#11 token URI to use in their command line parameters:
> $ p11tool --list-tokens
> Token 0:
> URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
> Label: System Trust
> Type: Trust module
> Manufacturer: PKCS#11 Kit
> Model: p11-kit-trust
> Serial: 1
> Module: p11-kit-trust.so
On ArchLinux I noticed that under:
Preferences" >> "Privacy & Security", >> "Security Devices" there is:
"Builtin Roots Module"
/etc/ca-certificates/trust-source
Status Ready
Description /etc/ca-certificates/trust-source
Manufacturer PKCS#11 Kit
HW Version 0.23
FW Version 0.0
Label System Trust
Manufacturer PKCS#11 Kit
Serial Number 1
HW Version 0.23
FW Version 0.0
I wonder if this has anything to do with the --with-system-nss[1] compile option?
I wrote this script which seems to work:
#!/usr/bin/env bash
downloadCerts=(http://cacerts.thawte.com/ThawteRSACA2018.crt)
wget -c "${downloadCerts[@]}"
for f in *.crt; do
fbasename=${f%.crt}
sudo openssl x509 -inform der -in "$f" -trustout -out /usr/local/share/ca-certificates/"$f"
done
sudo update-ca-certificates -f
find ~ -name pkcs11.txt -printf '%h\0' |
while IFS= read -rd '' pkcs11Files; do
if grep -Fxq "name=p11-kit-trust PKCS#11 Module" "$pkcs11Files"/pkcs11.txt
then
echo "Not adding device to $pkcs11Files/pkcs11.txt"
else
echo "Adding device to $pkcs11Files/pkcs11.txt"
cat <<EOF >> "$pkcs11Files"/pkcs11.txt
library=/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
name=p11-kit-trust PKCS#11 Module
NSS=trustOrder=100
EOF
fi
done
[0]: https://support.mozilla.org/en-US/questions/1022183
[1]: https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox#n86
--
Tyler (tya99)
rsa4096/0x9C9954F88E388859
Reply to: