Web lists-archives.com

Re: Correct way to install Intermediate certificates in Debian

On 13.04.2019 21:20, Tyler A wrote:
On 13/4/19 3:57 pm, Alexander V. Makartsev wrote:
On 13.04.2019 19:40, Tyler A wrote:

I had trouble visiting these two websites in Firefox, Epiphany and
verifying with OpenSSL.

- Births Deaths and Marriages (Government of South Australia)

- Hostplus Superannuation Fund

I can access both sites without any problems with my browser (Firefox).
Keep in mind, you must do this in a new profile. If you've ever visited
a website which has used the certificate it will be cached, and the site
will work. 
Yes, my mistake, I've neglected that and now was able to repro your issue.
As for your question about certificate installation. Apparently (I hope somebody will correct me on that),
p11-kit doesn't provide a writable software pkcs#11 token for user to add/remove CA certificates, but
'gnome-keyring' does, and you should use it if you want to work with personal certificates, private keys, etc.
However, most applications won't recognize the objects from gnome-keyring pkcs#11 module automatically and
should be configured to use it by providing correct pkcs#11 module URI.

So, that aside, in order to add CA certificates to "System Trust" token, provided by "p11-kit-trust" pkcs#11 module,
you have to use "update-ca-certificates" utility.
1. Download CA certificates.
2. Process them with "openssl" to make them trusted and put them in special folder recognized by "update-ca-certificates" utility.
    $ sudo openssl x509 -inform der -in ./ThawteRSACA2018.crt -trustout -out /usr/local/share/ca-certificates/ThawteRSACA2018.crt
    $ sudo openssl x509 -inform der -in ./GeoTrustRSACA2018.crt -trustout -out /usr/local/share/ca-certificates/GeoTrustRSACA2018.crt

3. Start "update-ca-certificates" utility
    $ sudo update-ca-certificates -f

4. Check that certificates were added with "trust" utility.
    $ trust list --filter=ca-anchors --purpose=server-auth | egrep "GeoTrust RSA CA 2018|Thawte RSA CA 2018"
        label: GeoTrust RSA CA 2018
        label: Thawte RSA CA 2018

That is it. Now a few remarks. Mozilla Firefox uses it's own NSS DB to store certificates and don't use other pkcs#11 modules and tokens, such as "System Trust", by default, so you have to configure it.
In Firefox browser, open "Preferences" >> "Privacy & Security", click "Security Devices" and click "Load".
Type in module name and module path:
    Name: "p11-kit-trust PKCS#11 Module"
    Path: "/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so"
New module should appear on the left pane with "System Trust" token. If you select it, it will have "/etc/ssl/certs/ca-certificates.crt" in its Description.
After that, problem sites should work without any additional actions.

Any program that automatically uses compiled certificates in "/etc/ssl/certs/ca-certificates.crt" (updated by "update-ca-certificates"), like curl, wget, openssl, etc, should work with those sites too.
Additionally you can specify a pkcs#11 token URI to use in their command line parameters:
    $ p11tool --list-tokens
    Token 0:
            URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
            Label: System Trust
            Type: Trust module
            Manufacturer: PKCS#11 Kit
            Model: p11-kit-trust
            Serial: 1
            Module: p11-kit-trust.so

I got the same certificates from a European VPN as I did from in
Australia (not what you got) which appears to be a CDN.

With kindest regards, Alexander.

⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org