Re: update-ca-certificates

To: Linux-Fan <Ma_Sys.ma@web.de>
Cc: debian-user@lists.debian.org
Subject: Re: update-ca-certificates
From: Pocket <pocket@columbus.rr.com>
Date: Thu, 14 Dec 2023 14:34:34 -0500
Message-id: <[🔎] 81BDDF96-174C-408E-BDDC-EAC8ADECF550@columbus.rr.com>
In-reply-to: <[🔎] cone.1702581794.867271.15923.1000@masysma-18>
References: <[🔎] cone.1702581794.867271.15923.1000@masysma-18>

Sent from my iPad

> On Dec 14, 2023, at 2:23 PM, Linux-Fan <Ma_Sys.ma@web.de> wrote:
> 
> Pocket writes:
> 
>>> On 12/14/23 08:11, Henning Follmann wrote:
>>> On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:
>>>> On Wed, Dec 13, 2023 at 7:55 PM Pocket <pocket@columbus.rr.com> wrote:
>>>>> What formats does certs need to be to work with update-ca-certificates?
>>>>> 
>>>>> PEM or DER?
>>>> PEM
>>> Well lets look at man update-ca-certificates, shall we?
>>> 
>>> "Certificates must have a .crt extension..."
>> 
>> Lets have a look at some of the standards shall we?
>> 
>> https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/
>> 
>> A cert that have a suffix of .crt are in DER format by this convention. maybe the script should actually look for PEM files?
> 
> The above linked page is not a standard. Additionally, it does not seem to support your claim and e.g. says as follows:
> 
> * “The DER certificate format stands for “distinguished encoding rules. It
>  is a binary form of PEM-formatted certificates containing all types of
>  certificates and private keys. However, they usually use .cer and .der   extensions.”
> * “A PEM file contains ASCII encoding data, and the certificate files come
>  in .pem, .crt, .cer, or .key formats.”
> 
> IOW per this source, `.crt` is a perfectly valid file extension for certificates in PEM format.
> 
> I'd be curious for some “standard” definition about these file extensions because from what I have seen, the file extensions for certificates, keys and certificate signing requests are used quite chaotically sometimes to encode either the intention (.pub, .priv, .cer, .csr) or the data format (.pem, .der) and sometimes there seems to be an intention to encode both some way e.g. I've observed .pem for PEM certificates and .cer for DER-formatted certificates which would be in line with the ssl.com link btw.
> 
>> Should the suffix of the file be .pem as the certs that are referenced by the conf file seem to be in PEM format?
> 
> Stick to what the program expects and use .crt

Ok what format DER, PEM or some form of PKC?

DER and PEM both use crt.

One cert for file or multiple?

Notice the docs do not specify.

How does the carts get processed as different formats require different processes.


> 
>> Well yes that would eliminate the confusion and we can not have that can we.
> 
> If there were some agreed-on standard to do this stuff, I would love to know about it. The closest things that I found by a cursory internet search were FRC2585 and RFC5280:
> 
> * https://datatracker.ietf.org/doc/html/rfc2585
> * https://datatracker.ietf.org/doc/html/rfc5280
> 
> AFAIU they specify
> 
> * `.cer` for DER-encoded certificates
> * `.crl` for DER-encoded certificate revocation lists
> * `.p7c` for PKCS#7 encoded certificates

DER, .der and .crt

PEM .pem and .crt

Docs should specify.

> 
> [...]
> 
> YMMV
> Linux-Fan
> 
> öö

Reply to:

Follow-Ups:
- Re: update-ca-certificates
  - From: Linux-Fan <Ma_Sys.ma@web.de>

References:
- Re: update-ca-certificates
  - From: Linux-Fan <Ma_Sys.ma@web.de>

Prev by Date: Re: Problem with php after upgrading to Bookworm
Next by Date: Re: update-ca-certificates
Previous by thread: Re: update-ca-certificates
Next by thread: Re: update-ca-certificates
Index(es):
- Date
- Thread