1 |
Hi All, |
2 |
|
3 |
Recently (in the last month or so) I noticed that one of my SSL certificates |
4 |
that I use for email, issued by Comodo is no longer recognised as 'trusted'. |
5 |
|
6 |
In particular, it is the Root CA which is not trusted which is confusing me. |
7 |
The certificate in question is: |
8 |
|
9 |
$ ls -la /etc/ssl/certs/AddTrust_External_Root.pem |
10 |
lrwxrwxrwx 1 root root 61 Jul 14 21:49 |
11 |
/etc/ssl/certs/AddTrust_External_Root.pem -> /usr/share/ca- |
12 |
certificates/mozilla/AddTrust_External_Root.cr |
13 |
|
14 |
|
15 |
Its contents are: |
16 |
|
17 |
$ openssl x509 -in /etc/ssl/certs/AddTrust_External_Root.pem -text |
18 |
Certificate: |
19 |
Data: |
20 |
Version: 3 (0x2) |
21 |
Serial Number: 1 (0x1) |
22 |
Signature Algorithm: sha1WithRSAEncryption |
23 |
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, |
24 |
CN=AddTrust External CA Root |
25 |
Validity |
26 |
Not Before: May 30 10:48:38 2000 GMT |
27 |
Not After : May 30 10:48:38 2020 GMT |
28 |
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, |
29 |
CN=AddTrust External CA Root |
30 |
Subject Public Key Info: |
31 |
Public Key Algorithm: rsaEncryption |
32 |
Public-Key: (2048 bit) |
33 |
Modulus: |
34 |
00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed: |
35 |
1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97: |
36 |
a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f: |
37 |
cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db: |
38 |
2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70: |
39 |
56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6: |
40 |
5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e: |
41 |
87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c: |
42 |
71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8: |
43 |
69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df: |
44 |
ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee: |
45 |
6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94: |
46 |
37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8: |
47 |
45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7: |
48 |
c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7: |
49 |
a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65: |
50 |
b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34: |
51 |
5a:27 |
52 |
Exponent: 65537 (0x10001) |
53 |
X509v3 extensions: |
54 |
X509v3 Subject Key Identifier: |
55 |
AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A |
56 |
X509v3 Key Usage: |
57 |
Certificate Sign, CRL Sign |
58 |
X509v3 Basic Constraints: critical |
59 |
CA:TRUE |
60 |
X509v3 Authority Key Identifier: |
61 |
keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A |
62 |
DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP |
63 |
Network/CN=AddTrust External CA Root |
64 |
serial:01 |
65 |
|
66 |
Signature Algorithm: sha1WithRSAEncryption |
67 |
b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9: |
68 |
84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41: |
69 |
6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5: |
70 |
bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2: |
71 |
de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51: |
72 |
14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85: |
73 |
93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a: |
74 |
63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b: |
75 |
a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4: |
76 |
45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9: |
77 |
91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e: |
78 |
8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76: |
79 |
60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20: |
80 |
0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7: |
81 |
8f:4e:86:04 |
82 |
-----BEGIN CERTIFICATE----- |
83 |
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU |
84 |
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs |
85 |
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 |
86 |
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux |
87 |
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h |
88 |
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v |
89 |
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt |
90 |
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 |
91 |
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX |
92 |
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX |
93 |
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN |
94 |
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 |
95 |
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD |
96 |
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 |
97 |
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU |
98 |
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx |
99 |
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN |
100 |
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH |
101 |
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 |
102 |
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC |
103 |
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX |
104 |
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a |
105 |
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= |
106 |
-----END CERTIFICATE----- |
107 |
|
108 |
|
109 |
and openssl verifies it as OK: |
110 |
|
111 |
$ openssl verify -verbose -CApath /etc/ssl/certs/ -x509_strict |
112 |
/etc/ssl/certs/AddTrust_External_Root.pem |
113 |
/etc/ssl/certs/AddTrust_External_Root.pem: OK |
114 |
|
115 |
|
116 |
Up until recently I had no problem using it, but now Kleopatra shows it as |
117 |
Valid, but Not Trusted ... which means I cannot select my Comodo issued |
118 |
certificate (4th in the chain). |
119 |
|
120 |
Has anyone noticed something similar with AddTrust External CA Root |
121 |
certificate, or can explain what happened here? |
122 |
|
123 |
|
124 |
PS. When I add it in my .gnupg/trustlist.txt it is accepted as trusted, but as |
125 |
I said this was not needed up until recently. |
126 |
|
127 |
-- |
128 |
Regards, |
129 |
Mick |