On Thursday 22 Dec 2011 06:26:53 LinuxIsOne wrote: > On Wed, Dec 21, 2011 at 12:50 PM, Nikos Chantziaras <rea...@arcor.de> wrote: > > So it's either add cacert.org to your trusted authorities, or live in > > hell when browsing b.g.o. IMO that's just stupid. I want to trust just > > b.g.o, not every site out there that has a cacert certificate. > > Okay so how do I add only b.g.o of the cacert.org and not others? Can > you tell me the step by step process?
A browser (e.g. Firefox) will pop up a warning that the particular website (b.g.o.) certificate or the CA root certificate that has signed the website certificate is not trusted. Under Technical Details it says: "sec_error_untrusted_issuer" So FF does not 'trust' CACert as the issuer of legitimate certificates, because CACert's root certificate is not stored in FF's list of SSL Certification Authorities. If you go to Preferences/Advanced/Encryption/View Certificates/Authorities, you'll see that CACert is not in there. At that moment you need to click on the relevant buttons of the warning message and ask the browser to accept the certificate. There should also be some tick box asking the browser to store the certificate as trusted permanently. If you click to add this exception permanently you can click on View to see the details of the SSL certificate chain. There are 3 certificates in the bundle: 1. CA Cert Signing Authority The details tell you that this is the Root CA (self-signed). This is used to sign the second certificate. 2. CAcert Class 3 Root The details tell you that this is a Class 3 Root certificate which is used in turn to sign the b.g.o. website certificate. 3. bugs.gentoo.org This is the website certificate signed by 2 above. Now if you click to permanently store the b.g.o. certificate, FF will store not just certificate number 3, but the complete chain of signatory certificates. You can examine these if you go to View Certificates and then Servers. However, this chain of certificates does not implicitly trust certificates 1 and 2 above - unless you import these from the CACert website. In that case they will show under the tab called Others, because you have imported these yourself. Having done that, then any website that has a certificate signed by CACert will be accepted automatically and you won't be warned out the Issuer not being a Trusted CA. Not all browsers are the same or choose to behave the same way on this matter, but these are the basic principles. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.