Kurt Roeckx <[EMAIL PROTECTED]> wrote: > The certificate for db.debian.org is still signed by the old key.
Mmmm. >> > They're both part of the ca-certificates package in testing and >> > unstable: >> > new: /etc/ssl/certs/SPI_CA_2006-cacert.pem >> > old: /etc/ssl/certs/spi-ca.pem >> >> It appears that http://www.spi-inc.org/secretary/spi-ca.crt and >> /etc/ssl/certs/SPI_CA_2006-cacert.pem are exactly the same files. >> Why do they have different extensions? This is very confusing. > > So you need /etc/ssl/certs/spi-ca.pem, and not whose fingerprints are GPG-signed here: http://www.spi-inc.org/secretary/spi-ca-old-fingerprint.txt (by Wichert Akkerman). Good. > /etc/ssl/certs/SPI_CA_2006-cacert.pem. Importing that works for me, but > I suggest you import both now. OK, this works fine. > "pem" is the file format, and most files in /etc/ssl/certs have that > extention, certificates will be in that file format. The .crt > extention is ussually used to say it's a certicate, and not the > private key or something. Hmmm, I see. Still a mess, though... > See man x509(1ssl). openssl has alot of subcommands, each having it's > own manpage. If you don't know what you're looking for, it might be > hard to find. Quite true. Once, I started reading openssl(1ssl), but found that very difficult to understand if you aren't already knowledgeable about SSL, certificates and such. Thanks for the pointers! -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
