On Wed, Oct 03, 2018 at 05:55:59AM -0000, Stan Janssen wrote:
> (I wonder why DigiCert has not been able to convice Mozilla to include
> this certificate, yet they still sign certificates that are intended for

Most CAs have multiple levels of certificates. The ones that the browsers
include in trust bundles are normally stored off-line in locked vaults in
multiple shards and are only reconstructed once every few years for use,
to sign intermediary certificates.

The intermediary certificates are the ones that are used to sign end-user
certificates. These are not included in the browser bundles. Every site
that uses them is expected to include them in their certificate chains.

> public verification using this. And, to make matters worse, why most
> other browsers do seem to include the certificate by default or a least
> trust the certificate chain enough to load the pages.)

The trouble is, browser authors have seen incomplete chains before, and
have gone to some efforts to try to remediate the problem themselves. They
will *store* intermediate certificates as they discover them around the
wider web. If a misconfigured site forgets to include the full chain of
certificates, quite often site admins won't even notice because the
intermediate certs will be in their *local* user configuration.

This is what makes a service like Qualys's TLS checker so wonderful: it's
a well-written neutral third-party that knows how to diagnose a suprising
number of deployment and implementation mistakes.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1795242

Title:
  Digicert certificate is not included

Status in ca-certificates package in Ubuntu:
  Confirmed

Bug description:
  EDIT: This post originally mentioned the "DigiCert High Assurance EV
  Root CA", which was the wrong name. The "DigiCert SHA2 Secure Server"
  was intended. This post has been edited for clarity.

  -------------

  The "DigiCert SHA2 Secure Server" certificate is missing, which means
  that the system does not trust web sites that are using SSL
  certificates signed by that root. An example is a popular website in
  the Netherlands https://marktplaats.nl. The result is that no
  resources other that the text-only homepage is loaded.

  Installing the Digicert root certificte manually from Digicert solves
  the problem:

  ```
  wget https://dl.cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
  mv DigiCertSHA2SecureServerCA.crt DigiCertSHA2SecureServerCA.der
  openssl x509 -inform DER -outform PEM -in DigiCertSHA2SecureServerCA.der  
-out DigicertSHA2SecureServerCA.pem.crt
  sudo mkdir -p /usr/share/ca-certificates/extra
  sudo cp DigicertSHA2SecureServerCA.pem.crt /usr/share/ca-certificates/extra/
  sudo dpkg-reconfigure ca-certificates
  ```

  Maybe there is a valid reason for not including this certificate by
  default, or maybe this certificate can be included by default, since
  it seems like it's assumed to be included on every machine.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1795242/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to