public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* [gentoo-user] Re: Accepting as trusted b.g.o. certificates [was: From where the word 'gentoo' came?]
  @ 2011-12-23 19:23 99%     ` Mick
  0 siblings, 0 replies; 1+ results
From: Mick @ 2011-12-23 19:23 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 2596 bytes --]

On Thursday 22 Dec 2011 06:26:53 LinuxIsOne wrote:
> On Wed, Dec 21, 2011 at 12:50 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
> > So it's either add cacert.org to your trusted authorities, or live in
> > hell when browsing b.g.o.  IMO that's just stupid.  I want to trust just
> > b.g.o, not every site out there that has a cacert certificate.
> 
> Okay so how do I add only b.g.o of the cacert.org and not others? Can
> you tell me the step by step process?

A browser (e.g. Firefox) will pop up a warning that the particular website 
(b.g.o.) certificate or the CA root certificate that has signed the website 
certificate is not trusted.  Under Technical Details it says:  
"sec_error_untrusted_issuer"

So FF does not 'trust' CACert as the issuer of legitimate certificates, because 
CACert's root certificate is not stored in FF's list of SSL Certification 
Authorities.  If you go to Preferences/Advanced/Encryption/View 
Certificates/Authorities, you'll see that CACert is not in there.

At that moment you need to click on the relevant buttons of the warning 
message and ask the browser to accept the certificate.  There should also be 
some tick box asking the browser to store the certificate as trusted 
permanently.

If you click to add this exception permanently you can click on View to see 
the details of the SSL certificate chain.  There are 3 certificates in the 
bundle:

1. CA Cert Signing Authority

The details tell you that this is the Root CA (self-signed).  This is used to 
sign the second certificate.

2. CAcert Class 3 Root

The details tell you that this is a Class 3 Root certificate which is used in 
turn to sign the b.g.o. website certificate.

3. bugs.gentoo.org

This is the website certificate signed by 2 above.

Now if you click to permanently store the b.g.o. certificate, FF will store not 
just certificate number 3, but the complete chain of signatory certificates.  
You can examine these if you go to View Certificates and then Servers.

However, this chain of certificates does not implicitly trust certificates 1 and 
2 above - unless you import these from the CACert website.  In that case they 
will show under the tab called Others, because you have imported these 
yourself.  Having done that, then any website that has a certificate signed by 
CACert will be accepted automatically and you won't be warned out the Issuer 
not being a Trusted CA.

Not all browsers are the same or choose to behave the same way on this matter, 
but these are the basic principles.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2011-12-20 17:31     [gentoo-user] From where the word 'gentoo' came? LinuxIsOne
2011-12-21 17:50     ` [gentoo-user] " Nikos Chantziaras
2011-12-22  6:26       ` LinuxIsOne
2011-12-23 19:23 99%     ` [gentoo-user] Re: Accepting as trusted b.g.o. certificates [was: From where the word 'gentoo' came?] Mick

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox