[WLUG] Which CA does my ssl certificate belong to on the file system
Robert Steckroth
robertsteckroth at gmail.com
Sun Jun 12 17:25:26 EDT 2016
Also, I need to add the CA certificate to a QT application but I need to
know where it is on the file system before I can do that.
QFile certFile("path/to/root.crt");
certFile.open(QIODevice::ReadOnly);
QSslCertificate cert(&certFile, QSsl::Pem);
QSslSocket * sslSocket = new QSslSocket(this);
sslSocket->addCaCertificate(cert);
So, it should be common practice to allocate corresponding trusted
certificates on the file system.
On Sun, Jun 12, 2016 at 5:16 PM, Robert Steckroth <robertsteckroth at gmail.com
> wrote:
> This is the bottom line here.
> git pull origin master
> fatal: unable to access 'https://*******.com/repository/test.git/':
> server certificate verification failed. CAfile:
> /etc/ssl/certs/ca-certificates.crt CRLfile: none
>
> The thing is, other https sites (github.com) do not have this problem.
> Why is my certificate not found on the file system but github.com's is?
>
>
> On Sun, Jun 12, 2016 at 1:45 PM, James Stroehmann <jaymz at jaymz.org> wrote:
>
>> Can you include the git command you are running and the error you see?
>>
>>
>> ------
>>
>> On Jun 12, 2016, at 12:01 PM, Robert Steckroth <robertsteckroth at gmail.com>
>> wrote:
>>
>>
>> corollarily ;)
>> It seems that git is not using the Comodo CA chain in its internal
>> workings. I need to switch registrars maybe..
>>
>>
>> On Sun, Jun 12, 2016 at 7:50 AM, Carl T. Miller <carl at carltm.com> wrote:
>>
>>> Any certificate that is created for use on a server
>>> contains the info about the CA that can verify it.
>>> And if there is a chain, it will have info for each
>>> of the CAs.
>>>
>>> If you want, just a copy of the certificate and I'll
>>> run the commands and show you the output.
>>>
>>> c
>>>
>>>
>>> Robert Steckroth wrote:
>>> > Well, the Certificate Authority made the certificate and I would like
>>> to
>>> > know which chain it belongs with the local CA certificates. Maybe it
>>> > requires many commands??
>>> >
>>> > On Sat, Jun 11, 2016 at 8:59 PM, Carl T. Miller <carl at carltm.com>
>>> wrote:
>>> >
>>> >> If I understand correctly, you're saying you want to
>>> >> know which installed CA certificate is used to verify
>>> >> the certificates which you create. Is that it? If
>>> >> so, just take a certificate that you created and run
>>> >> the commands on it.
>>> >>
>>> >> (create a file for each cert including the "BEGIN
>>> >> CERTIFICATE" and "END CERTIFICATE" lines)
>>> >> openssl x509 -noout -text -purpose -in onecert
>>> >>
>>> >> c
>>> >>
>>> >>
>>> >> Robert Steckroth wrote:
>>> >> > Yes, thank you for the response Carl. I need to know what
>>> certificate
>>> >> > corresponds with the installed CA certificates. It is not just the
>>> >> > browsers
>>> >> > which verify certificates with a CA-certificate, it is every
>>> platform
>>> >> that
>>> >> > uses https. Therefore, in order to manually verify a remotely served
>>> >> > certificate is trusted, I need to know which CA-certificate it was
>>> >> created
>>> >> > from on the local file system. It just seems like a simple terminal
>>> >> > command
>>> >> > would locate the CA-certificate for any given certificate, but
>>> >> research
>>> >> > has
>>> >> > proved time consuming.
>>> >> >
>>> >> > On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <carl at carltm.com>
>>> >> wrote:
>>> >> >
>>> >> >> When you connect to a website with a browser (or the
>>> >> >> openssl client) you get a copy of the certificate
>>> >> >> directly from the webserver. If you want to know where
>>> >> >> the certificate is stored locally, you'd have to look
>>> >> >> at the configuration of the webserver.
>>> >> >>
>>> >> >> You also mentioned a CA hosted through namecheap. That
>>> >> >> would give you the ability to create certificates.
>>> >> >> You should be able to access the secret key file and
>>> >> >> the certificate file for any certificate you have created.
>>> >> >>
>>> >> >> In addition to this, it is common for your browser to
>>> >> >> use certificates to verify well-known CAs. Look in your
>>> >> >> browser's configuration to manage to view and, perhaps,
>>> >> >> delete these certificates.
>>> >> >>
>>> >> >> So...the first paragraph describes a certificate in use.
>>> >> >> The second describes a certificate which may or may not
>>> >> >> be in use. The third describes certificates which have
>>> >> >> been installed, and can verify a certificate in use.
>>> >> >>
>>> >> >> My question to you...what certificate is it that you
>>> >> >> want to find? One you use currently, one that you
>>> >> >> created, or one that has been installed?
>>> >> >>
>>> >> >> c
>>> >> >>
>>> >> >>
>>> >> >> Robert Steckroth wrote:
>>> >> >> > Well, I don't know then.. I am under the impression that when a
>>> >> remote
>>> >> >> > server sends a certificate, it needs to be verified against the
>>> >> >> > certificates in the local file system to ensure that there is no
>>> >> >> > middleman.
>>> >> >> > So, shouldn't openssl be able to return the local path the any
>>> >> certs
>>> >> >> which
>>> >> >> > correspond to the one sent by the remote?
>>> >> >> >
>>> >> >> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <
>>> carl at carltm.com>
>>> >> >> wrote:
>>> >> >> >
>>> >> >> >> Hi Robert,
>>> >> >> >>
>>> >> >> >> You can use openssl to retrieve and view the certificates on a
>>> >> >> >> webserver.
>>> >> >> >>
>>> >> >> >> To retrieve all certs on a server:
>>> >> >> >> openssl s_client -connect www.carltm.com:443 -showcerts | tee
>>> >> >> allcerts
>>> >> >> >>
>>> >> >> >> To view each cert:
>>> >> >> >> (create a file for each cert including the "BEGIN CERTIFICATE"
>>> and
>>> >> >> >> "END CERTIFICATE" lines)
>>> >> >> >> openssl x509 -noout -text -purpose -in onecert
>>> >> >> >>
>>> >> >> >> I hope this helps with your investigation.
>>> >> >> >>
>>> >> >> >> c
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> Robert Steckroth wrote:
>>> >> >> >> > Hello everyone, I have a interesting question for those of you
>>> >> with
>>> >> >> >> https
>>> >> >> >> > experience.
>>> >> >> >> > I have a certificate authority (through namecheap), chained to
>>> >> my
>>> >> >> ssl
>>> >> >> >> > key/certificate which is distributed by a Ubuntu server. The
>>> >> https
>>> >> >> >> content
>>> >> >> >> > server is nodejs and serves the ssl cert to three types of
>>> >> >> platforms:
>>> >> >> >> web
>>> >> >> >> > browsers, git repositories, and a qt desktop application. The
>>> >> https
>>> >> >> >> server
>>> >> >> >> > works find on browsers (with the green https uri text). The
>>> >> problem
>>> >> >> >> is, I
>>> >> >> >> > need to know where the CA certificate is kept on my local
>>> ubuntu
>>> >> >> file
>>> >> >> >> > system in order to add it to the qt application and to the git
>>> >> >> config.
>>> >> >> >> I
>>> >> >> >> > think maybe it is a cheap CA sense git does not already know
>>> >> about
>>> >> >> the
>>> >> >> >> CA
>>> >> >> >> > on the file system (it works if I add it manually via git
>>> config
>>> >> >> >> > http.sslCAInfo). Anyways, I still would like to know if there
>>> is
>>> >> a
>>> >> >> >> > terminal
>>> >> >> >> > command to find which CA my cert belongs to on the file
>>> system.
>>> >> It
>>> >> >> >> seems
>>> >> >> >> > that they are everywhere on it, jeesh.
>>> >> >> >> > ______________________________________________________
>>> >> >> >> > washlug mailing list washlug web site
>>> >> >> >> > washlug at washlug.org www.washlug.org
>>> >> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>>> >> >> >> >
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> ______________________________________________________
>>> >> >> >> washlug mailing list washlug web site
>>> >> >> >> washlug at washlug.org www.washlug.org
>>> >> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>> >> >> >>
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > --
>>> >> >> > <surgemcgee>
>>> >> >> > ______________________________________________________
>>> >> >> > washlug mailing list washlug web site
>>> >> >> > washlug at washlug.org www.washlug.org
>>> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>>> >> >> >
>>> >> >>
>>> >> >>
>>> >> >> ______________________________________________________
>>> >> >> washlug mailing list washlug web site
>>> >> >> washlug at washlug.org www.washlug.org
>>> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > <surgemcgee>
>>> >> > ______________________________________________________
>>> >> > washlug mailing list washlug web site
>>> >> > washlug at washlug.org www.washlug.org
>>> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>>> >> >
>>> >>
>>> >>
>>> >> ______________________________________________________
>>> >> washlug mailing list washlug web site
>>> >> washlug at washlug.org www.washlug.org
>>> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > <surgemcgee>
>>> > ______________________________________________________
>>> > washlug mailing list washlug web site
>>> > washlug at washlug.org www.washlug.org
>>> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>>> >
>>>
>>>
>>> ______________________________________________________
>>> washlug mailing list washlug web site
>>> washlug at washlug.org www.washlug.org
>>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>>
>>
>>
>>
>> --
>> <surgemcgee>
>>
>>
>>
>> ______________________________________________________
>> washlug mailing list washlug web site
>> washlug at washlug.org www.washlug.org
>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>
>>
>> ______________________________________________________
>> washlug mailing list washlug web site
>> washlug at washlug.org www.washlug.org
>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>
>>
>
>
> --
> <surgemcgee>
>
>
>
>
--
<surgemcgee>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux.marcdatabase.com/pipermail/washlug/attachments/20160612/e3384ddf/attachment-0001.html
More information about the washlug
mailing list