|
certificate /etc/ssl/certs/cacert-class3.crt expiration warning
In the last 4 days root has been mailed to say that
Quote:
|
Short version: you (or a third-party package you installed) added one of CAcert's intermediate TLS certificates to the OpenSSL trusted certificates directory (/etc/ssl/certs, typically managed by the ca-certificates package). That certificate is about to expire. Consider whether you actually trust CAcert, and if so, replace that certificate with the new one and run "update-ca-certificates" as root.
Long version: CAcert is a community-maintained TLS certificate authority. It operates outside of the Internet's prevalent public key infrastructure, meaning that its root certificate isn't signed by one of the main certificate authorities and therefore isn't trusted by major operating systems (including Slackware, so you didn't get this certificate via the ca-certificates package). At some point in the last ten years, you installed CAcert's Class 3 CA certificate - generated in June 2011, and valid for ten years - to OpenSSL's trusted certificates directory. certwatch (a cron job installed by the openssl package) is mailing you to tell you that that CA certificate is about to expire, and that OpenSSL will refuse to verify any certificate chain containing that CA in a week's time. If you don't know why CAcert is in your trusted certificates directory, or don't recall installing it there, the safest thing to do would be to remove it: it wasn't installed by Slackware, and the impact to you will likely be zero since hardly anyone asks CAcert to sign their certificates (especially with the rise of Let's Encrypt, a free CA that is trusted by all major operating systems). If you want to continue trusting CAcert, you'll need to download the replacement Class 3 CA certificate - valid for another ten years, until April 2031 - and regenerate the database of trusted certificates by running "update-ca-certificates" as root. |
Thanks for the detailed explanation.
I don't know where the certificate came from and it seems to suggest that it's almost 10 years old. It also doesn't appear on any of my other machines. So I removed it Code:
rm /etc/ssl/certs/cacert-class3.crtQuote:
The results look a bit odd. I was hoping for Quote:
|
I don't think there's a way you can find out what update-ca-certificates did after the fact, but if you're concerned about other certificates lurking in the trusted certificates directory that you might not necessarily trust, you could check what's in there that didn't come from the ca-certificates package:
Code:
# Certificates that are regular files (except for the big bundle created by update-ca-certificates), which have been manually installed: |
Thanks CTM
The result from running the code is /etc/ssl/certs/cacert-root.crt Should I remove this in the same way that I removed /etc/ssl/certs/cacert-class3.crt then rerun update-ca-certificates ? |
Yes - that'll be CAcert's Root CA certificate, which is used to sign the Class 3 CA certificate. Unless you also remove that, certificates signed by CAcert will still be trusted (because the certificate chain will terminate with one or more certificates in your trusted certificates directory).
|
| All times are GMT -5. The time now is 12:14 AM. |