Hi, I appreciate your help (Joerg, David and Kurt), but there is still a problem to solve before I can trust my connection to db.debian.org via HTTPS.
Kurt Roeckx <[EMAIL PROTECTED]> wrote: > So Joerg just replaced them with the new ones: > http://www.spi-inc.org/secretary/spi-ca.crt > http://www.spi-inc.org/secretary/spi-ca.crt.fingerprint.txt OK, I downloaded these, verified the first using the second, and imported the first one in both firefox and galeon. Then, when I point galeon or firefox to https://db.debian.org/, I get the usual message saying the certificate is not trusted. The reason is that the certificate I imported (http://www.spi-inc.org/secretary/spi-ca.crt) is *not* the same as the one advertised by db.debian.org: the former expires in 2016 (!) and has the following SHA1 fingerprint: D4:CB:C2:DE:8A:CE:1C:4E:4C:96:17:AA:DC:BD:9E:BA:FB:66:2C:94 while the latter expires in 2007 and has this SHA1 fingerprint: AA:50:E3:2F:6E:AE:40:91:CB:F8:... (cannot copy/paste from the firefox dialog box! :-/) > They're both part of the ca-certificates package in testing and > unstable: > new: /etc/ssl/certs/SPI_CA_2006-cacert.pem > old: /etc/ssl/certs/spi-ca.pem It appears that http://www.spi-inc.org/secretary/spi-ca.crt and /etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files. Why do they have different extensions? This is very confusing. >> % md5sum /etc/ssl/certs/spi-ca.pem >> 33922a1660820e44812e7ddc392878cb /etc/ssl/certs/spi-ca.pem > > As pointed out by others, you can get to it using openssl. I had thought about that, but grepping for fingerprint in openssl(1ssl) doesn't bring anything. :-( > But you can also try and import the key in your browser, and they say > examine/view certificate, at which point it should show you the > MD5 sum and SHA1 sum too. Right, that's the easiest way. Works in galeon and firefox. > The fingerprint of an ssh key is also something you don't check by > running md5sum on a id_rsa.pub file, you use ssh-keygen -l for it. True, but grepping for fingerprint in ssh(1) gives the answer as the first hit. > But it's alot handier that the whole public key is also available > on the website. I'm not sure I understand you here. The public RSA keys *are* available. The problem is trusting them. I proposed GPG-signing them, but using SSL is another way. Thanks. PS: sorry for the delays when answering; I have a very busy week... -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
