Re: certificate expiry

Fri, 09 Feb 2018 16:29:14 -0800 

Thanks Samuel,

On 10/02/18 09:29, Samuel Sieb wrote:

On 02/05/2018 01:01 PM, Eyal Lebedinsky wrote:

As of a month ago I started getting warnings from certwatch saying
     The certificate for Certificate Shack has expired
and
     The certificate for Frank Alpha has expired
which have now expired a week ago.

I wanted to find out who these hosts are and should I care about the expired 
certs.

So far I found these two (and no others) mentioned in the file
     -rw-r----- 1 root apache 65536 Jan 26  2014 /etc/httpd/alias/cert8.db
which is an old file which seems to be part of the mod_nss package.

Are these real certs? Test ones left there for no reason?

If they are not needed then what is the correct way to remove them, short of
removing the nss_mod module.


I expect they are sample certs, but I don't know why they are included. I don't 
see those on my server, but my database is much older.

To remove them, go to the /etc/httpd/alias directory.  Run "certutil -L -d ." 
to make sure of the names.


$ sudo certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
alpha                                                        u,pu,u

'man certutil' seems to not list the meaning of the attributes flags.
I can guess C and T from the args to '-t' but 'u' is not listed. Maybe just 
'untrusted'?


  Then you can run "certutil -D -d . -n 'Frank Alpha'" for example to remove 
them from the database.


$ sudo certutil -D -d . -n 'Frank Alpha'
certutil: could not find certificate named "Frank Alpha": 
SEC_ERROR_BAD_DATABASE: security library: bad database.
$ sudo certutil -D -d . -n alpha
$ sudo certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u

$ sudo certutil -D -d . -n cacert
$ sudo certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u


I will keep an eye on any unusual messages.

--
Eyal at Home (fed...@eyal.emu.id.au)
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Reply via email to