Re: update-ca-certificates

To: debian-user@lists.debian.org
Subject: Re: update-ca-certificates
From: Linux-Fan <Ma_Sys.ma@web.de>
Date: Thu, 14 Dec 2023 20:23:14 +0100
Message-id: <[🔎] cone.1702581794.867271.15923.1000@masysma-18>
References: <[🔎] 8f940077-1197-451e-b765-5da729479811@columbus.rr.com> <[🔎] CAH8yC8kUrq02Hmptn9yAyH8HoJzaEuCgvg9NbDg0AZycLmzQ+A@mail.gmail.com> <[🔎] ZXr-8OGU8ftO6Fn_@oppenheimer.itcfollmann.com> <[🔎] be6c4427-3963-46cc-b85f-8007ba48c8d6@columbus.rr.com>

Pocket writes:

On 12/14/23 08:11, Henning Follmann wrote:

On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:

On Wed, Dec 13, 2023 at 7:55 PM Pocket <pocket@columbus.rr.com> wrote:

What formats does certs need to be to work with update-ca-certificates?

PEM or DER?

PEM

Well lets look at man update-ca-certificates, shall we?

"Certificates must have a .crt extension..."


Lets have a look at some of the standards shall we?

https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/

A cert that have a suffix of .crt are in DER format by this convention.maybe the script should actually look for PEM files?

The above linked page is not a standard. Additionally, it does not seem tosupport your claim and e.g. says as follows:


* “The DER certificate format stands for “distinguished encoding rules. It
  is a binary form of PEM-formatted certificates containing all types of

certificates and private keys. However, they usually use .cer and .derextensions.”

* “A PEM file contains ASCII encoding data, and the certificate files come
  in .pem, .crt, .cer, or .key formats.”

IOW per this source, `.crt` is a perfectly valid file extension forcertificates in PEM format.

I'd be curious for some “standard” definition about these file extensionsbecause from what I have seen, the file extensions for certificates, keysand certificate signing requests are used quite chaotically sometimes toencode either the intention (.pub, .priv, .cer, .csr) or the data format(.pem, .der) and sometimes there seems to be an intention to encode bothsome way e.g. I've observed .pem for PEM certificates and .cer for DER-formatted certificates which would be in line with the ssl.com link btw.

Should the suffix of the file be .pem as the certs that are referenced bythe conf file seem to be in PEM format?


Stick to what the program expects and use .crt

Well yes that would eliminate the confusion and we can not have that can we.

If there were some agreed-on standard to do this stuff, I would love to knowabout it. The closest things that I found by a cursory internet search wereFRC2585 and RFC5280:


* https://datatracker.ietf.org/doc/html/rfc2585
* https://datatracker.ietf.org/doc/html/rfc5280

AFAIU they specify

* `.cer` for DER-encoded certificates
* `.crl` for DER-encoded certificate revocation lists
* `.p7c` for PKCS#7 encoded certificates

[...]

YMMV
Linux-Fan

öö

Attachment: pgpug473j8nk4.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: update-ca-certificates
  - From: Pocket <pocket@columbus.rr.com>

References:
- update-ca-certificates
  - From: Pocket <pocket@columbus.rr.com>
- Re: update-ca-certificates
  - From: Jeffrey Walton <noloader@gmail.com>
- Re: update-ca-certificates
  - From: Henning Follmann <hfollmann@itcfollmann.com>
- Re: update-ca-certificates
  - From: Pocket <pocket@columbus.rr.com>

Prev by Date: Re: openssh: missing kex_exchange_identification ssh error messages with 1:9.5p1-2?
Next by Date: Re: Data disaster preparedness and recovery without RAID
Previous by thread: Re: update-ca-certificates
Next by thread: Re: update-ca-certificates
Index(es):
- Date
- Thread