mozilla and Chromium still have the md2 cert, because VeriSign had issued intermediates with AKIs that point to the MD2 versions. I'm not sure there are any left though.
If you remove the md2 cert from firefox, and restart it, it will still validate the site correctly. You need to tell openssl where the CA cert bundle is: openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect secure-test.streamline-esolutions.com:443 Doing that results in a successful verification, even though the md2 cert isn't in the system CA bundle: Verify return code: 0 (ok) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1031333 Title: Missing Verisign certs due to broken extract script To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1031333/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
