pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: certdata-20140820.txt missing certs?



On Fri, 5 Sep 2014, John D. Baker wrote:

> I'll see if I can figure out which certs the old set has that seem to
> be missing from the new set.

I moved the old "/etc/openssl/certs" and "/etc/ssl/certs" directories
aside and installed the new certs.  I then gathered a list of the hashes
for both.  Running 'diff -up certhash.old certhash.new' showed which
certs were no-longer in the new set.  I was then able to track down
which old certificates these hash-named links pointed to.

I hardlinked these into the current "certs" directory with "old" infixed
into the names to avoid collisions and generated their hash-named symlinks.

Turns out the one certificate I needed for "youtube.com" servers was
previously installed as "mozilla-rootcert-3.pem" (now
"mozilla-rootcert-old-3.pem" in my scheme).

(Curiously, the "current" "mozilla-rootcert-3.pem" is considered untrusted
and is not actually installed.)

The missing root certificate I particularly needed and restored from
the old package is as follows:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 903804111 (0x35def4cf)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
        Validity
            Not Before: Aug 22 16:41:51 1998 GMT
            Not After : Aug 22 16:41:51 2018 GMT
        Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:
                    91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:
                    d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:
                    04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:
                    8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:
                    43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:
                    97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:
                    af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:
                    3a:88:e7:bf:14:fd:e0:c7:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points: 

                Full Name:
                  DirName: C = US, O = Equifax, OU = Equifax Secure Certificate 
Authority, CN = CRL1

            X509v3 Private Key Usage Period: 
                Not After: Aug 22 16:41:51 2018 GMT
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier: 
                
keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

            X509v3 Subject Key Identifier: 
                48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
            X509v3 Basic Constraints: 
                CA:TRUE
            1.2.840.113533.7.65.0: 
                0...V3.0c....
    Signature Algorithm: sha1WithRSAEncryption
         58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:
         95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:
         6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:
         57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:
         a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:
         77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:
         65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:
         77:38
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

There were eleven other certificates in the old package that are not in
the new package.

-- 
|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645



Home | Main Index | Thread Index | Old Index