On Wed, Oct 11, 2006 at 09:22:49PM +0200, Florent Rougon wrote: > Hi, > > I appreciate your help (Joerg, David and Kurt), but there is still a > problem to solve before I can trust my connection to db.debian.org via > HTTPS. > > Kurt Roeckx <[EMAIL PROTECTED]> wrote: > > > So Joerg just replaced them with the new ones: > > http://www.spi-inc.org/secretary/spi-ca.crt > > http://www.spi-inc.org/secretary/spi-ca.crt.fingerprint.txt > > OK, I downloaded these, verified the first using the second, and > imported the first one in both firefox and galeon. > > Then, when I point galeon or firefox to https://db.debian.org/, I get > the usual message saying the certificate is not trusted. The reason is > that the certificate I imported > (http://www.spi-inc.org/secretary/spi-ca.crt) is *not* the same as the > one advertised by db.debian.org: the former expires in 2016 (!) and has > the following SHA1 fingerprint:
The certificate for db.debian.org is still signed by the old key. > > They're both part of the ca-certificates package in testing and > > unstable: > > new: /etc/ssl/certs/SPI_CA_2006-cacert.pem > > old: /etc/ssl/certs/spi-ca.pem > > It appears that http://www.spi-inc.org/secretary/spi-ca.crt and > /etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files. > Why do they have different extensions? This is very confusing. So you need /etc/ssl/certs/spi-ca.pem, and not /etc/ssl/certs/SPI_CA_2006-cacert.pem. Importing that works for me, but I suggest you import both now. "pem" is the file format, and most files in /etc/ssl/certs have that extention, certificates will be in that file format. The .crt extention is ussually used to say it's a certicate, and not the private key or something. Afaik, most files in /usr/share/ca-certificates will have a .crt extention, and most files in /etc/ssl/certs/ will have a .pem extention and be a symlink to file in /usr/share/ca-certificates. > >> % md5sum /etc/ssl/certs/spi-ca.pem > >> 33922a1660820e44812e7ddc392878cb /etc/ssl/certs/spi-ca.pem > > > > As pointed out by others, you can get to it using openssl. > > I had thought about that, but grepping for fingerprint in openssl(1ssl) > doesn't bring anything. :-( See man x509(1ssl). openssl has alot of subcommands, each having it's own manpage. If you don't know what you're looking for, it might be hard to find. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
