Web lists-archives.com

Re: gpg ca-cert-file=[which file???]




On 7/17/17, Lee  wrote:
>
> I don't care about EV right now.  I don't want to trust any
> certificate issued by CNNIC & a few other CAs.  How do I do that?

I didn't realize just how big a can of worms I'd opened.  But I'm
close enuf to where I wanted to be that I'm done for now.

https://bugzilla.redhat.com/show_bug.cgi?id=873373#c3
  Feedback from people who know would be good.

Which is why I've been so verbose - I was hoping for feedback from
Someone Who Knows :)

My code auditor skillz leave much to be desired, so my gpg.conf now has
  keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.crt
  ## keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.trust.crt
  ##   ca-bundle.crt       = trusted root certs
  ##   ca-bundle.trust.crt = trusted root certs + explicitly UNtrusted
root certs
  ## does gpg check the trust bits in the certs??? need to figure that out
  ## before using ca-bundle.trust.crt

To see all the certificates in a bundle:
$ ./listcerts.sh | head -5
subject= /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
subject= /CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES
subject= /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
subject= /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis
Authentication Root CA
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root

$ cat listcerts.sh
#!/bin/sh
# ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

FILE="/etc/pki/tls/certs/ca-bundle.crt"
# FILE="/etc/pki/tls/certs/ca-bundle.trust.crt"

cat $FILE |\
awk -v cmd="openssl x509 -noout -subject " '
/^-----BEGIN/ { c = $0; next }
{ c = c "\n" $0 }
/^-----END/ { print c|cmd; close(cmd); c = "" }
'

# openssl x509 -noout -text
#  to see all the certificate info

$

to blacklist a cert - in this case
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT

- find the specific cert in the bundle
- extract just that cert and save it to a file
- verify you extracted the right cert
$ openssl x509 -noout -text -in ~/t/CNNIC.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1228079105 (0x49330001)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, O=CNNIC, CN=CNNIC ROOT
        Validity
            Not Before: Apr 16 07:09:14 2007 GMT
            Not After : Apr 16 07:09:14 2027 GMT
        Subject: C=CN, O=CNNIC, CN=CNNIC ROOT
        Subject Public Key Info:
  <.. snip ..>

- copy the cert to /etc/pki/ca-trust/source/blacklist
$ mv ~/t/CNNIC.pem /etc/pki/ca-trust/source/blacklist/

- update the trust db
$ update-ca-trust

- verify the unstrusted cert has been blacklisted:
$ ./listcerts.sh | grep CNNIC

- make an oopsie?
$ mv /etc/pki/ca-trust/source/blacklist/CNNIC.pem ~/t
$ update-ca-trust
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple