On 7/17/17, Lee wrote: > > I don't care about EV right now. I don't want to trust any > certificate issued by CNNIC & a few other CAs. How do I do that?
I didn't realize just how big a can of worms I'd opened. But I'm close enuf to where I wanted to be that I'm done for now. https://bugzilla.redhat.com/show_bug.cgi?id=873373#c3 Feedback from people who know would be good. Which is why I've been so verbose - I was hoping for feedback from Someone Who Knows :) My code auditor skillz leave much to be desired, so my gpg.conf now has keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.crt ## keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.trust.crt ## ca-bundle.crt = trusted root certs ## ca-bundle.trust.crt = trusted root certs + explicitly UNtrusted root certs ## does gpg check the trust bits in the certs??? need to figure that out ## before using ca-bundle.trust.crt To see all the certificates in a bundle: $ ./listcerts.sh | head -5 subject= /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES subject= /CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES subject= /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM subject= /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root $ cat listcerts.sh #!/bin/sh # ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle FILE="/etc/pki/tls/certs/ca-bundle.crt" # FILE="/etc/pki/tls/certs/ca-bundle.trust.crt" cat $FILE |\ awk -v cmd="openssl x509 -noout -subject " ' /^-----BEGIN/ { c = $0; next } { c = c "\n" $0 } /^-----END/ { print c|cmd; close(cmd); c = "" } ' # openssl x509 -noout -text # to see all the certificate info $ to blacklist a cert - in this case $ ./listcerts.sh | grep CNNIC subject= /C=CN/O=CNNIC/CN=CNNIC ROOT - find the specific cert in the bundle - extract just that cert and save it to a file - verify you extracted the right cert $ openssl x509 -noout -text -in ~/t/CNNIC.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1228079105 (0x49330001) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, O=CNNIC, CN=CNNIC ROOT Validity Not Before: Apr 16 07:09:14 2007 GMT Not After : Apr 16 07:09:14 2027 GMT Subject: C=CN, O=CNNIC, CN=CNNIC ROOT Subject Public Key Info: <.. snip ..> - copy the cert to /etc/pki/ca-trust/source/blacklist $ mv ~/t/CNNIC.pem /etc/pki/ca-trust/source/blacklist/ - update the trust db $ update-ca-trust - verify the unstrusted cert has been blacklisted: $ ./listcerts.sh | grep CNNIC - make an oopsie? $ mv /etc/pki/ca-trust/source/blacklist/CNNIC.pem ~/t $ update-ca-trust $ ./listcerts.sh | grep CNNIC subject= /C=CN/O=CNNIC/CN=CNNIC ROOT Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
