This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: gpg ca-cert-file=[which file???]
On 7/17/17, Lee wrote:
>
> I don't care about EV right now. I don't want to trust any
> certificate issued by CNNIC & a few other CAs. How do I do that?
I didn't realize just how big a can of worms I'd opened. But I'm
close enuf to where I wanted to be that I'm done for now.
https://bugzilla.redhat.com/show_bug.cgi?id=873373#c3
Feedback from people who know would be good.
Which is why I've been so verbose - I was hoping for feedback from
Someone Who Knows :)
My code auditor skillz leave much to be desired, so my gpg.conf now has
keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.crt
## keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.trust.crt
## ca-bundle.crt = trusted root certs
## ca-bundle.trust.crt = trusted root certs + explicitly UNtrusted
root certs
## does gpg check the trust bits in the certs??? need to figure that out
## before using ca-bundle.trust.crt
To see all the certificates in a bundle:
$ ./listcerts.sh | head -5
subject= /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
subject= /CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES
subject= /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
subject= /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis
Authentication Root CA
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root
$ cat listcerts.sh
#!/bin/sh
# ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle
FILE="/etc/pki/tls/certs/ca-bundle.crt"
# FILE="/etc/pki/tls/certs/ca-bundle.trust.crt"
cat $FILE |\
awk -v cmd="openssl x509 -noout -subject " '
/^-----BEGIN/ { c = $0; next }
{ c = c "\n" $0 }
/^-----END/ { print c|cmd; close(cmd); c = "" }
'
# openssl x509 -noout -text
# to see all the certificate info
$
to blacklist a cert - in this case
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT
- find the specific cert in the bundle
- extract just that cert and save it to a file
- verify you extracted the right cert
$ openssl x509 -noout -text -in ~/t/CNNIC.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1228079105 (0x49330001)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, O=CNNIC, CN=CNNIC ROOT
Validity
Not Before: Apr 16 07:09:14 2007 GMT
Not After : Apr 16 07:09:14 2027 GMT
Subject: C=CN, O=CNNIC, CN=CNNIC ROOT
Subject Public Key Info:
<.. snip ..>
- copy the cert to /etc/pki/ca-trust/source/blacklist
$ mv ~/t/CNNIC.pem /etc/pki/ca-trust/source/blacklist/
- update the trust db
$ update-ca-trust
- verify the unstrusted cert has been blacklisted:
$ ./listcerts.sh | grep CNNIC
- make an oopsie?
$ mv /etc/pki/ca-trust/source/blacklist/CNNIC.pem ~/t
$ update-ca-trust
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple