1 |
On Thursday 22 Dec 2011 06:26:53 LinuxIsOne wrote: |
2 |
> On Wed, Dec 21, 2011 at 12:50 PM, Nikos Chantziaras <realnc@×××××.de> wrote: |
3 |
> > So it's either add cacert.org to your trusted authorities, or live in |
4 |
> > hell when browsing b.g.o. IMO that's just stupid. I want to trust just |
5 |
> > b.g.o, not every site out there that has a cacert certificate. |
6 |
> |
7 |
> Okay so how do I add only b.g.o of the cacert.org and not others? Can |
8 |
> you tell me the step by step process? |
9 |
|
10 |
A browser (e.g. Firefox) will pop up a warning that the particular website |
11 |
(b.g.o.) certificate or the CA root certificate that has signed the website |
12 |
certificate is not trusted. Under Technical Details it says: |
13 |
"sec_error_untrusted_issuer" |
14 |
|
15 |
So FF does not 'trust' CACert as the issuer of legitimate certificates, because |
16 |
CACert's root certificate is not stored in FF's list of SSL Certification |
17 |
Authorities. If you go to Preferences/Advanced/Encryption/View |
18 |
Certificates/Authorities, you'll see that CACert is not in there. |
19 |
|
20 |
At that moment you need to click on the relevant buttons of the warning |
21 |
message and ask the browser to accept the certificate. There should also be |
22 |
some tick box asking the browser to store the certificate as trusted |
23 |
permanently. |
24 |
|
25 |
If you click to add this exception permanently you can click on View to see |
26 |
the details of the SSL certificate chain. There are 3 certificates in the |
27 |
bundle: |
28 |
|
29 |
1. CA Cert Signing Authority |
30 |
|
31 |
The details tell you that this is the Root CA (self-signed). This is used to |
32 |
sign the second certificate. |
33 |
|
34 |
2. CAcert Class 3 Root |
35 |
|
36 |
The details tell you that this is a Class 3 Root certificate which is used in |
37 |
turn to sign the b.g.o. website certificate. |
38 |
|
39 |
3. bugs.gentoo.org |
40 |
|
41 |
This is the website certificate signed by 2 above. |
42 |
|
43 |
Now if you click to permanently store the b.g.o. certificate, FF will store not |
44 |
just certificate number 3, but the complete chain of signatory certificates. |
45 |
You can examine these if you go to View Certificates and then Servers. |
46 |
|
47 |
However, this chain of certificates does not implicitly trust certificates 1 and |
48 |
2 above - unless you import these from the CACert website. In that case they |
49 |
will show under the tab called Others, because you have imported these |
50 |
yourself. Having done that, then any website that has a certificate signed by |
51 |
CACert will be accepted automatically and you won't be warned out the Issuer |
52 |
not being a Trusted CA. |
53 |
|
54 |
Not all browsers are the same or choose to behave the same way on this matter, |
55 |
but these are the basic principles. |
56 |
-- |
57 |
Regards, |
58 |
Mick |