Randy McMurchy wrote: > Dan Nicholson wrote these words on 02/23/09 14:17 CST: > >> Java wants a file containing the certificates of trusted root >> certificate authorities (CAs) for SSL/TLS. Amongst other things, this >> list of root CAs is how your browser decides whether to trust a https >> site or not. Two of them commonly exist on a BLFS system. The ones >> from openssl in /etc/ssl/certs and the ones from mozilla built into >> NSS. > > That's just it. You hit on something that DJ said and that is what is > confusing me. OpenSSL doesn't ship CAs any longer. In fact, the last > update I did to OpenSSL includes a blurb that the CA's don't ship any > longer and that there are only some instructions on how to create them. > > Is this what you and DJ are referring to, the instructions how to create > them, yet you say that Mozilla includes them by default? This is where > I'm confused as you guys have made it out that they are one in the same > (the same in the regard they are ready to use).
Randy, You have to understand how certificates work. They are signed by a certificate authority. If you don't have the CA's public certificate you can't authenticate the server cert. Without the CA public certs, https would never authenticate. Therefore you need the certs from Verisign, Entrust, etc. To see the ones you have now, go to preferences in FireFox, Advanced, Encryption, View Certificates, Authorities. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
