Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: Accepting as trusted b.g.o. certificates [was: From where the word 'gentoo' came?]
Date: Fri, 23 Dec 2011 19:25:09
In Reply to: Re: [gentoo-user] Re: From where the word 'gentoo' came? by LinuxIsOne
1 On Thursday 22 Dec 2011 06:26:53 LinuxIsOne wrote:
2 > On Wed, Dec 21, 2011 at 12:50 PM, Nikos Chantziaras <realnc@×××××.de> wrote:
3 > > So it's either add to your trusted authorities, or live in
4 > > hell when browsing b.g.o. IMO that's just stupid. I want to trust just
5 > > b.g.o, not every site out there that has a cacert certificate.
6 >
7 > Okay so how do I add only b.g.o of the and not others? Can
8 > you tell me the step by step process?
10 A browser (e.g. Firefox) will pop up a warning that the particular website
11 (b.g.o.) certificate or the CA root certificate that has signed the website
12 certificate is not trusted. Under Technical Details it says:
13 "sec_error_untrusted_issuer"
15 So FF does not 'trust' CACert as the issuer of legitimate certificates, because
16 CACert's root certificate is not stored in FF's list of SSL Certification
17 Authorities. If you go to Preferences/Advanced/Encryption/View
18 Certificates/Authorities, you'll see that CACert is not in there.
20 At that moment you need to click on the relevant buttons of the warning
21 message and ask the browser to accept the certificate. There should also be
22 some tick box asking the browser to store the certificate as trusted
23 permanently.
25 If you click to add this exception permanently you can click on View to see
26 the details of the SSL certificate chain. There are 3 certificates in the
27 bundle:
29 1. CA Cert Signing Authority
31 The details tell you that this is the Root CA (self-signed). This is used to
32 sign the second certificate.
34 2. CAcert Class 3 Root
36 The details tell you that this is a Class 3 Root certificate which is used in
37 turn to sign the b.g.o. website certificate.
39 3.
41 This is the website certificate signed by 2 above.
43 Now if you click to permanently store the b.g.o. certificate, FF will store not
44 just certificate number 3, but the complete chain of signatory certificates.
45 You can examine these if you go to View Certificates and then Servers.
47 However, this chain of certificates does not implicitly trust certificates 1 and
48 2 above - unless you import these from the CACert website. In that case they
49 will show under the tab called Others, because you have imported these
50 yourself. Having done that, then any website that has a certificate signed by
51 CACert will be accepted automatically and you won't be warned out the Issuer
52 not being a Trusted CA.
54 Not all browsers are the same or choose to behave the same way on this matter,
55 but these are the basic principles.
56 --
57 Regards,
58 Mick


File name MIME type
signature.asc application/pgp-signature