Results 1 to 4 of 4

Thread: ca-certificates

  1. #1

    Question ca-certificates

    Package: ca-certificates
    Version: 2+git20170807.10b2785-lp151.7.1

    Description

    I noticed that running `update-ca-certificates` will not add a certificate to the openssl store if that certificate belongs to a different category than "authority" ( only certificates from the `trust list --filter=ca-anchors` list will be updated).

    I would think that it should also contain certificates belonging to an "other-entry" category, like certificates with a `client-auth` purpose for example.

    Even package's README (`/usr/share/doc/packages/ca-certificates/README`) states, that the openssl store contains CA certificates of all purposes.

    Details

    One of the executed scripts executed on `update-ca-certificates` contains a trust extract command that filters only "ca-anchors" which will not contain certificates with a "client-auth" purpose.

    https://github.com/openSUSE/ca-certi...er/openssl.run


    Question

    Is that the correct behavior? If yes - how should I include "client-auth" certificates to the openssl store (so that for example I could run `curl` without specifing `--cacert cert.pem`)?

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,836
    Blog Entries
    2

    Default Re: ca-certificates

    You might find something that is relevant in the parent (root) directory of these ca management utilities

    https://github.com/openSUSE/ca-certificates

    Notice that there a number of gothcas that support only authority certificates, not all certificate uses.
    In other words, if you're storing your certificate in one of the specified locations, you'll see what you describe.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Sep 2012
    Posts
    5,315

    Default Re: ca-certificates

    Quote Originally Posted by mszyszko View Post
    how should I include "client-auth" certificates to the openssl store (so that for example I could run `curl` without specifing `--cacert cert.pem`)?
    "ca" in "--cacert" stands for Certificate Authority, not for Client Authentication. You provide client key with options --cert or --key.

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,836
    Blog Entries
    2

    Default Re: ca-certificates

    Quote Originally Posted by arvidjaar View Post
    "ca" in "--cacert" stands for Certificate Authority, not for Client Authentication. You provide client key with options --cert or --key.
    That might be the case if the client is issued a specific certificate to support mutual authentication.

    I was considering though the more common scenario where SSL is implemented as server-only authentication, where the client only needs to store a list of authorized CA, and when an SSL connection is made a client certificate is dynamically created and passed to the User only for that one session.

    I might be mistaken, but think that the command is appropriate to import a CA cert as well for that purpose.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •