Hey everyone, I'm trying to get a lay of the land for OS and Application Certificate Stores. Can someone confirm that I have this concept right?
If the application you're using say Firefox has it's own trusted CA store, it uses that exclusively. So if you're running firefox in Windows, Firefox will only check the validity of certificates on it's own store, and not ever reference the Microsoft Store.
As opposed to using internet explorer in Windows where it exclusively uses the Microsoft CA store.
This is something I'm unsure of, does iOS, Linux and Android provide a trusted suite of CA's? Where is it in the File system? It's my impression that these OS' use the SSL command suite to verify certificates? Or do these OS' offer no store, and just hope that the application is doing the checking of certificates?
For instance, right now I"m using google chrome in linux. When I go into the browser settings and advanced settings, to certificates, I get a list of trusted CA's. Where is this list coming from my Linux OS, or the browser itself?
Well, I can poke around on my own workstation and get answers that apply to it. Not sure about your setup. openSSL first... In /etc, I found my openssl.cnf file. It says:
Code:
dir = ../../CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
So now I know where my openSSL certs are stored. Those directories are empty as I expected. I don't know anyone who actually uses openSSL. But openSSL has a magnificient crypto library. Everybody installs openSSL to get access to that library. It is a prerequisite to openSSH. This leads people to think that SSH uses SSL, but it doesn't. The openSSH guys just did not want to rewrite that crypto library.
Since my openSSH cert database is empty but my firefox can talk https, a reasonable guess is that firefox must use its own database. The docs say it is per user and stored under .mozilla somewhere in a file called cert8.db. It needs to get seeded with a list of trusted top-level guys. I don't know how firefox does that. I hope it calls home at profile creation time to get the most recent list from firefox.com.
A much more interesting question is how does someone become a trusted top level certificate authority? So for example, where Go-Daddy decided to get into the business, how do they get themselves added to the list? To phrase it another way, if I wrote a new browser, how would I get a definative list? (besides just copying a list from a pre-existing browser) If anyone knows, please post a followup.
Great explanation, thanks! Also from how I had it explained to me... when a new CA emerges, they sort of 'earn their spurs' by having other CA's sign their certs.
Is openssl and NSS the main to preferred methods to open an SSL connection?
Lastly, I know revocation checking is done with either a CRL check or the OCSP protocol, are these built into openssl or nss?
NSS is the name of the suite of protocols as far as I know. There may be some product or software that itself NSS but I don't know about it.
My feeling is that most SSL connections are opened by browsers and I do not believe that browsers use openssl in a direct sense. They may be based on openssl but I'm not sure about that.
I don't believe that revocation checking is built into openssl. Those trusted third parties charge money for their service and it is reasonable to expect them to handle revocations internally. You talk to the third party every time a connection is established. Expirations are another matter. The expiration date is built into the certificate. Your browser can point out expirations without asking the third party. What can the third party say except, "yep, expired alright."?
I pay attention to expirations. Most may be innocent, but web sites with a clue won't let their certificates expire.
Well, I can poke around on my own workstation and get answers that apply to it. Not sure about your setup. openSSL first... In /etc, I found my openssl.cnf file. It says:
Code:
dir = ../../CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
So now I know where my openSSL certs are stored. Those directories are empty as I expected. I don't know anyone who actually uses openSSL. But openSSL has a magnificient crypto library. Everybody installs openSSL to get access to that library. It is a prerequisite to openSSH. This leads people to think that SSH uses SSL, but it doesn't. The openSSH guys just did not want to rewrite that crypto library.
Since my openSSH cert database is empty but my firefox can talk https, a reasonable guess is that firefox must use its own database. The docs say it is per user and stored under .mozilla somewhere in a file called cert8.db. It needs to get seeded with a list of trusted top-level guys. I don't know how firefox does that. I hope it calls home at profile creation time to get the most recent list from firefox.com.
A much more interesting question is how does someone become a trusted top level certificate authority? So for example, where Go-Daddy decided to get into the business, how do they get themselves added to the list? To phrase it another way, if I wrote a new browser, how would I get a definative list? (besides just copying a list from a pre-existing browser) If anyone knows, please post a followup.
My guess is that Chrome also keeps its own list.
You are of course correct - Firefox does indeed have its own OpenSSL CACertificate store, you can locate it's branch by doing a: ls -a and then going into the directory .(dot)firefox and then finding the CACert folder hidden deep within it's bowls like some kind of long lost and forelorn secret, inside is a certificate for the DoD. In wake of the spying revelations of late I would be guessing thats Fox-Acid! And of course Boundless Geo would be part of the Firefox Geo_IP Stack - Boundless Informant! Oh dear, what has Mozilla been up to? Time to expell all major Browsing Vendors that cant respect there users privacy rights. Sadly that looks like it includes MozDev!
Secure sockets, hahahahahahahahahahahahaha!~ No... Not unless you own all the Keys!
An that Right there is the Root (pun!) of the problem.
Correct me if I am wrong, but we get these Certificates issued by the likes of EQUIFAX & Wells Fargo because they are a part of the "Bank" and thusly part of the Federal Reserve that owns and controls a large portion of the worlds wealth, whilst being totally bust (no gold folks) and those certificates are issued by RSA and we accept the use of those Certificates on the Merit of Trust..
But as of Late, I dont think there's a single programmer around after the Dual Elliptic farce & heartbleed that still has a lot of trust in RSA and it should be clear to us all by now where advertising networks loyalties lay, is obviously with there Wallet!
We'd all be very hard pressed to miss what is so obviously stairing us all in the face not to mention, the leaked Documents on the ACLU Website clearly show Server to Server authentication whilst it's all happening.
The Fortune 500 has no Fortune, it's held together by Fraud & Lies - So they've now decended into petty thievery to try and make it all work in there favor whilst hidding behind the best Lawyers there ill gotten money can buy. There must have been something wrong with Mosaic the 16 Bit DEC Browser available in Windows 3.1 because it got upgraded to IE 32 Bit and Windows 95 with NSA_Key.dll
Hello!
I had a cron job running on my website, activating a php script every friday. The Php script just activated another photo to add in the gallery. It worked fine until I got an SSL certificate for my website, then everything broke.
This was the command before:
lynx -source... (0 Replies)
Hi guys,
I'm trying to generate a key using the genkey command in centos 6.4 and RHEL6.4, Every thing seems to go cool but I get this error message bad certificate request error -8016 and no key/cert is generated. I don't want use the many openssl(s) commands instead since genkey is a shourtcut... (4 Replies)
Hi,
I was trying to enable SSL cert on WebLogic 10.3 (CentOS),
I don't have a third party Certificate Authority(C.A) to get the .csr file certified.
Is there an alternate way that replaces the step sending .csr file to CA ?
Thanks
SZS (1 Reply)
Hi,
I want to renew the ssl certificate for one of my application on tomcat without down time. I want to know what would the possible impacts for the users who currently have sessions to the app.
Regards,
Arumon (1 Reply)
we are doing TCP for our systems. I have a working SSL certificate on prodction webserver. Im planning to export it to our DR server for TCP purposes. However when I export based on the procedure below, it doesn't work. When I restart the DR webserver, it still says the certifcate is expired.Any... (1 Reply)
Hi guys.
I have some questions about ssl certificates.
I looked at SSL providers and saw that they are providing 2 types of certificates: per server or per domain.
my server host name is: srv1.example.com
I have a smtp, imap, web server on this box. but all services accessed by different... (1 Reply)
Hello,
I am new in UNIX, and some one asks me to install SSL certificates to allow exchange with an external system.
Can someone tell how to install certificate (ex : verisignxxx.cer) on a UNIX server?
Many thanks.
Tibo (4 Replies)
Dear All
Anyone know how to issue two different certification on apache virtualhost fyi i have one virtualhost eg 69.192.1.25:443 already signed with verisign how can i configure another virtualhost 69.192.1.25:443 which signing with another certificate which self signing. i search net not... (1 Reply)
Hello everybody
Hope somebody can help me
I'm trying to install SSL Certificate on Apache/mod_ssl on Linux with Zend for Oracle.
I bought and downloaded certificate from certificate from Network Solutions. Than I followed the instructions to the dot.
I created a directory for certificate... (2 Replies)
