On Fri, Mar 12, 2021 at 21:36:09 +0200, Elan Ruusamäe wrote: > $ q ca-certificates > ca-certificates-20210119-3.noarch > > > here's probably the problem source, the host has ca-certificates > installed, and very old config: > > $ l /etc/ca-certificates.conf* > -rw-r--r-- 1 root root 6.3K Feb 1 2010 /etc/ca-certificates.conf > -rw-r--r-- 1 root root 5.5K Mar 12 12:51 /etc/ca-certificates.conf.rpmnew > > perhaps the package provided certs should be moved to > /usr/share/ca-certificates/ca-certificates.conf and > /etc/ca-certificates.conf be only local customizations?
Do not reinvent the wheel, introduce distro-agnostic and widly adopdet update-ca-trust: https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7 https://gist.github.com/kekru/deabd57f0605ed95d5c8246d18483687 https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/ https://wiki.archlinux.org/index.php/User:Grawity/Adding_a_trusted_CA_certificate https://fedora.pkgs.org/32/fedora-x86_64/ca-certificates-2020.2.40-3.fc32.noarch.rpm.html https://fedoraproject.org/wiki/CA-Certificates Second thing - please move away all the additional/local (national) CAs from global package; I don't trust ESTEID, you shouldn't trust Certum (or should you? [1]). I have no idea, if Terena should be trusted by default: https://www.geant.org/Services/Trust_identity_and_security/Pages/TCS.aspx https://wiki.geant.org/display/TCSNT/TCS+wiki+%282020%29+Sectigo but I definitely do not need them: https://wiki.geant.org/display/TCSNT/TCS+Participants+Sectigo OTOH I use NCCert-signed EuroCert certificates for ePUAP validation. Here comes the quest: find the valid ones. https://www.nccert.pl/ root CA: -> https://www.nccert.pl/files/nccert2016.crt https://www.nccert.pl/zaswiadczenia.htm EuroCert_QCA3_2017.crt doesn't work -> https://www.nccert.pl/files/EuroCert_QCA3_2017.crt Serial Number: 47:00:3d:10:9e:95:cc:29:5e:b6:3a:b7:82:43:0c:55:e7:e4:b7:63 Issuer: C=PL, O=Narodowy Bank Polski, CN=Narodowe Centrum Certyfikacji/2.5.4.97=VATPL-5250008198 Validity Not Before: Mar 14 11:39:23 2017 GMT Not After : Mar 14 23:59:59 2028 GMT Subject: 2.5.4.97=VATPL-9512352379, C=PL, O=EuroCert Sp. z o.o., CN=Centrum Kwalifikowane EuroCert https://eurocert.pl/pub/Prawo/ QCA03_Eurocert_2017.der works fine -> https://eurocert.pl/pub/Prawo/QCA03_Eurocert_2017.der Serial Number: 1a:57:34:b0:d4:72:d2:51:e1:d3:7c:fe:3d:79:6a:c1:17:10:24:90 Issuer: C=PL, O=Narodowy Bank Polski, CN=Narodowe Centrum Certyfikacji/2.5.4.97=VATPL-5250008198 Validity Not Before: Feb 14 12:26:19 2017 GMT Not After : Feb 14 23:59:59 2028 GMT Subject: 2.5.4.97=VATPL-9512352379, C=PL, O=EuroCert Sp. z o.o., CN=Centrum Kwalifikowane EuroCert However - and this might also be the case of ESTEID - I do use the NCCert CA to validate the documents, but I don't need them to be in the main CA bundle and trusted by default by all the system apps. These certificates are used for private resources and might simply reside in separate directory (I use /etc/pki/nccert) to be pointed when needed. [1] back in 2003 I've also added Unizeto (Certum): http://git.pld-linux.org/packages/certificates It's been 18 years and if they didn't make it into some global widely adopted bundle, they should go into separate subpackage. In general, we shouldn't mix CAs from different resources (unless we're going to start and really manage our own list). Even more, I'd be pleased if the main bundle was split into parts of globally respected ones and the rest. I don't need to trust any CA from Brasil, China, Turkey (Kamu!) or Hungary. https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F https://wiki.mozilla.org/CA/Additional_Trust_Changes We should be able to select alternate lists, e.g.: https://support.google.com/a/answer/7448393 https://www.chromium.org/Home/chromium-security/root-ca-policy Thus: ca-certificates -> virtual package falling back to R: ca-root-bundle-mozilla ca-root-bundle-mozilla - mozilla root program ca-root-bundle-chrome - chrome root program (https://g.co/chrome/root-store) ca-root-bundle-microsoft - https://aka.ms/RootCert ca-root-individual-pl-{asseco,kir} - Asseco/Unizeto/Certum, KIR (polish ones) ca-root-individual-letsencrypt - single CA if I don't want any bundle ca-root-individual-{google,apple,microsoft...} - ...and compose my own list ca-root-private-* - installed in a way, that doesn't merge them into global CA (NCCert, possibly ESTEID) -- Tomasz Pala <go...@pld-linux.org> _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
