[gentoo-user] Root Certificate not trusted - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Root Certificate not trusted
Date:	Thu, 17 Jul 2014 22:04:00
Message-Id:	`201407172303.23069.michaelkintzios@gmail.com`

1

Hi All,

2

3

Recently (in the last month or so) I noticed that one of my SSL certificates 

4

that I use for email, issued by Comodo is no longer recognised as 'trusted'.

5

6

In particular, it is the Root CA which is not trusted which is confusing me.  

7

The certificate in question is:

8

9

$ ls -la /etc/ssl/certs/AddTrust_External_Root.pem

10

lrwxrwxrwx 1 root root 61 Jul 14 21:49 

11

/etc/ssl/certs/AddTrust_External_Root.pem -> /usr/share/ca-

12

certificates/mozilla/AddTrust_External_Root.cr

13

14

15

Its contents are:

16

17

$ openssl x509 -in /etc/ssl/certs/AddTrust_External_Root.pem -text

18

Certificate:

19

    Data:

20

        Version: 3 (0x2)

21

        Serial Number: 1 (0x1)

22

    Signature Algorithm: sha1WithRSAEncryption

23

        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 

24

CN=AddTrust External CA Root

25

        Validity

26

            Not Before: May 30 10:48:38 2000 GMT

27

            Not After : May 30 10:48:38 2020 GMT

28

        Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 

29

CN=AddTrust External CA Root

30

        Subject Public Key Info:

31

            Public Key Algorithm: rsaEncryption

32

                Public-Key: (2048 bit)

33

                Modulus:

34

                    00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:

35

                    1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:

36

                    a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:

37

                    cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:

38

                    2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:

39

                    56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:

40

                    5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:

41

                    87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:

42

                    71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:

43

                    69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:

44

                    ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:

45

                    6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:

46

                    37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:

47

                    45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:

48

                    c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:

49

                    a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:

50

                    b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:

51

                    5a:27

52

                Exponent: 65537 (0x10001)

53

        X509v3 extensions:

54

            X509v3 Subject Key Identifier: 

55

                AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A

56

            X509v3 Key Usage: 

57

                Certificate Sign, CRL Sign

58

            X509v3 Basic Constraints: critical

59

                CA:TRUE

60

            X509v3 Authority Key Identifier: 

61

                keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A

62

                DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP 

63

Network/CN=AddTrust External CA Root

64

                serial:01

65

66

    Signature Algorithm: sha1WithRSAEncryption

67

         b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:

68

         84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:

69

         6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:

70

         bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:

71

         de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:

72

         14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:

73

         93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:

74

         63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:

75

         a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:

76

         45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:

77

         91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:

78

         8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:

79

         60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:

80

         0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:

81

         8f:4e:86:04

82

-----BEGIN CERTIFICATE-----

83

MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU

84

MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs

85

IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290

86

MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux

87

FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h

88

bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v

89

dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt

90

H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9

91

uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX

92

mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX

93

a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN

94

E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0

95

WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD

96

VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0

97

Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU

98

cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx

99

IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN

100

AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH

101

YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5

102

6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC

103

Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX

104

c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a

105

mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=

106

-----END CERTIFICATE-----

107

108

109

and openssl verifies it as OK:

110

111

$ openssl verify -verbose -CApath /etc/ssl/certs/ -x509_strict 

112

/etc/ssl/certs/AddTrust_External_Root.pem

113

/etc/ssl/certs/AddTrust_External_Root.pem: OK

114

115

116

Up until recently I had no problem using it, but now Kleopatra shows it as 

117

Valid, but Not Trusted ... which means I cannot select my Comodo issued 

118

certificate (4th in the chain).

119

120

Has anyone noticed something similar with AddTrust External CA Root 

121

certificate, or can explain what happened here?

122

123

124

PS. When I add it in my .gnupg/trustlist.txt it is accepted as trusted, but as 

125

I said this was not needed up until recently.

126

127

--

128

Regards,

129

Mick

Gentoo Archives: gentoo-user

Attachments

1	Hi All,
2
3	Recently (in the last month or so) I noticed that one of my SSL certificates
4	that I use for email, issued by Comodo is no longer recognised as 'trusted'.
5
6	In particular, it is the Root CA which is not trusted which is confusing me.
7	The certificate in question is:
8
9	$ ls -la /etc/ssl/certs/AddTrust_External_Root.pem
10	lrwxrwxrwx 1 root root 61 Jul 14 21:49
11	/etc/ssl/certs/AddTrust_External_Root.pem -> /usr/share/ca-
12	certificates/mozilla/AddTrust_External_Root.cr
13
14
15	Its contents are:
16
17	$ openssl x509 -in /etc/ssl/certs/AddTrust_External_Root.pem -text
18	Certificate:
19	Data:
20	Version: 3 (0x2)
21	Serial Number: 1 (0x1)
22	Signature Algorithm: sha1WithRSAEncryption
23	Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
24	CN=AddTrust External CA Root
25	Validity
26	Not Before: May 30 10:48:38 2000 GMT
27	Not After : May 30 10:48:38 2020 GMT
28	Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
29	CN=AddTrust External CA Root
30	Subject Public Key Info:
31	Public Key Algorithm: rsaEncryption
32	Public-Key: (2048 bit)
33	Modulus:
34	00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
35	1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
36	a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
37	cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
38	2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
39	56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
40	5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
41	87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
42	71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
43	69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
44	ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
45	6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
46	37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
47	45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
48	c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
49	a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
50	b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
51	5a:27
52	Exponent: 65537 (0x10001)
53	X509v3 extensions:
54	X509v3 Subject Key Identifier:
55	AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
56	X509v3 Key Usage:
57	Certificate Sign, CRL Sign
58	X509v3 Basic Constraints: critical
59	CA:TRUE
60	X509v3 Authority Key Identifier:
61	keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
62	DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP
63	Network/CN=AddTrust External CA Root
64	serial:01
65
66	Signature Algorithm: sha1WithRSAEncryption
67	b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:
68	84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:
69	6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:
70	bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:
71	de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:
72	14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:
73	93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:
74	63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
75	a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:
76	45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:
77	91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:
78	8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:
79	60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:
80	0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:
81	8f:4e:86:04
82	-----BEGIN CERTIFICATE-----
83	MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
84	MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
85	IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
86	MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
87	FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
88	bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
89	dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
90	H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
91	uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
92	mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
93	a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
94	E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
95	WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
96	VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
97	Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
98	cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
99	IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
100	AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
101	YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
102	6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
103	Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
104	c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
105	mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
106	-----END CERTIFICATE-----
107
108
109	and openssl verifies it as OK:
110
111	$ openssl verify -verbose -CApath /etc/ssl/certs/ -x509_strict
112	/etc/ssl/certs/AddTrust_External_Root.pem
113	/etc/ssl/certs/AddTrust_External_Root.pem: OK
114
115
116	Up until recently I had no problem using it, but now Kleopatra shows it as
117	Valid, but Not Trusted ... which means I cannot select my Comodo issued
118	certificate (4th in the chain).
119
120	Has anyone noticed something similar with AddTrust External CA Root
121	certificate, or can explain what happened here?
122
123
124	PS. When I add it in my .gnupg/trustlist.txt it is accepted as trusted, but as
125	I said this was not needed up until recently.
126
127	--
128	Regards,
129	Mick