| 1 |
On Thursday 22 Dec 2011 06:26:53 LinuxIsOne wrote: |
| 2 |
> On Wed, Dec 21, 2011 at 12:50 PM, Nikos Chantziaras <realnc@×××××.de> wrote: |
| 3 |
> > So it's either add cacert.org to your trusted authorities, or live in |
| 4 |
> > hell when browsing b.g.o. IMO that's just stupid. I want to trust just |
| 5 |
> > b.g.o, not every site out there that has a cacert certificate. |
| 6 |
> |
| 7 |
> Okay so how do I add only b.g.o of the cacert.org and not others? Can |
| 8 |
> you tell me the step by step process? |
| 9 |
|
| 10 |
A browser (e.g. Firefox) will pop up a warning that the particular website |
| 11 |
(b.g.o.) certificate or the CA root certificate that has signed the website |
| 12 |
certificate is not trusted. Under Technical Details it says: |
| 13 |
"sec_error_untrusted_issuer" |
| 14 |
|
| 15 |
So FF does not 'trust' CACert as the issuer of legitimate certificates, because |
| 16 |
CACert's root certificate is not stored in FF's list of SSL Certification |
| 17 |
Authorities. If you go to Preferences/Advanced/Encryption/View |
| 18 |
Certificates/Authorities, you'll see that CACert is not in there. |
| 19 |
|
| 20 |
At that moment you need to click on the relevant buttons of the warning |
| 21 |
message and ask the browser to accept the certificate. There should also be |
| 22 |
some tick box asking the browser to store the certificate as trusted |
| 23 |
permanently. |
| 24 |
|
| 25 |
If you click to add this exception permanently you can click on View to see |
| 26 |
the details of the SSL certificate chain. There are 3 certificates in the |
| 27 |
bundle: |
| 28 |
|
| 29 |
1. CA Cert Signing Authority |
| 30 |
|
| 31 |
The details tell you that this is the Root CA (self-signed). This is used to |
| 32 |
sign the second certificate. |
| 33 |
|
| 34 |
2. CAcert Class 3 Root |
| 35 |
|
| 36 |
The details tell you that this is a Class 3 Root certificate which is used in |
| 37 |
turn to sign the b.g.o. website certificate. |
| 38 |
|
| 39 |
3. bugs.gentoo.org |
| 40 |
|
| 41 |
This is the website certificate signed by 2 above. |
| 42 |
|
| 43 |
Now if you click to permanently store the b.g.o. certificate, FF will store not |
| 44 |
just certificate number 3, but the complete chain of signatory certificates. |
| 45 |
You can examine these if you go to View Certificates and then Servers. |
| 46 |
|
| 47 |
However, this chain of certificates does not implicitly trust certificates 1 and |
| 48 |
2 above - unless you import these from the CACert website. In that case they |
| 49 |
will show under the tab called Others, because you have imported these |
| 50 |
yourself. Having done that, then any website that has a certificate signed by |
| 51 |
CACert will be accepted automatically and you won't be warned out the Issuer |
| 52 |
not being a Trusted CA. |
| 53 |
|
| 54 |
Not all browsers are the same or choose to behave the same way on this matter, |
| 55 |
but these are the basic principles. |
| 56 |
-- |
| 57 |
Regards, |
| 58 |
Mick |
Archives