On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote: > OK to drop the expired AddTrust cert from cert.pem?
yes, thanks. > > I checked against the firefox set, there are no new/removed certs that > work with libressl there. There are now two with GENERALIZEDTIME notAfter > dates from before 2050 that don't work though (I only remember seeing one > of those when I last looked).. but that is a separate issue. > > /C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root > CA/emailAddress=p...@sk.ee > /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum > Trusted Network CA 2 I suspect these can safely be dropped too. > > > Index: cert.pem > =================================================================== > RCS file: /cvs/src/lib/libcrypto/cert.pem,v > retrieving revision 1.20 > diff -u -p -r1.20 cert.pem > --- cert.pem 10 Apr 2020 12:13:17 -0000 1.20 > +++ cert.pem 1 Jun 2020 16:59:23 -0000 > @@ -350,58 +350,6 @@ LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQ > LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== > -----END CERTIFICATE----- > > -### AddTrust AB > - > -=== /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > External CA Root > -Certificate: > - Data: > - Version: 3 (0x2) > - Serial Number: 1 (0x1) > - Signature Algorithm: sha1WithRSAEncryption > - Validity > - Not Before: May 30 10:48:38 2000 GMT > - Not After : May 30 10:48:38 2020 GMT > - Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, > CN=AddTrust External CA Root > - X509v3 extensions: > - X509v3 Subject Key Identifier: > - AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A > - X509v3 Key Usage: > - Certificate Sign, CRL Sign > - X509v3 Basic Constraints: critical > - CA:TRUE > - X509v3 Authority Key Identifier: > - > keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A > - DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP > Network/CN=AddTrust External CA Root > - serial:01 > - > -SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 > -SHA256 > Fingerprint=68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2 > ------BEGIN CERTIFICATE----- > -MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU > -MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs > -IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 > -MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux > -FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h > -bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v > -dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt > -H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 > -uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX > -mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX > -a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN > -E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 > -WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD > -VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 > -Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU > -cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx > -IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN > -AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH > -YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 > -6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC > -Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX > -c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a > -mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= > ------END CERTIFICATE----- > - > ### AffirmTrust > > === /C=US/O=AffirmTrust/CN=AffirmTrust Commercial >
