/etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Support for security such as Firewalls and securing linux
Post Reply
kidgradius
Posts: 6
Joined: 2018/04/23 13:23:52

/etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by kidgradius » 2018/04/23 16:05:37

Folks,
I am a little confused as to why my '/etc/ssl/certs/ca-bundle.trust.crt' has a different TRUSTED CERTIFICATE for DigiCert high Assurance EV Root CA.


/etc/ssl/certs/ca-bundle.trust.crt

Code: Select all

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9KMDowFAYIKwYBBQUHAwQGCCsGAQUFBwMBDCJEaWdpQ2VydCBIaWdo
IEFzc3VyYW5jZSBFViBSb290IENB
-----END CERTIFICATE-----
DigiCert High Assurance EV Root CA
https://ev-root.chain-demos.digicert.co ... index.html

Code: Select all

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
You can see that the certs are similar; however, the default cert has a few extra characters. This is in a default install.


I found this issue when I was trying to use Citrix Receiver, which keeps throwing errors related to SSL certs. However, I thought the current cert found in /etc/ssl/cert/ca-bundle.trust.crt should work. After digging around I noticed the keys were different.

What does the preinstalled key have more characters? Are the certs technically different?

On a side note - I am able to get my Citrix Receiver working if I download the DigiCert High Assurance EV Root CA and install. But this is beyond the scope of my question related to why the certs are different.

Thank you
KG

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by avij » 2018/04/23 16:23:50

If you run openssl x509 -in certificate.crt -text -noout for both, you will notice that the only difference is:

Code: Select all

-Trusted Uses:
-  E-mail Protection, TLS Web Server Authentication
-No Rejected Uses.
-Alias: DigiCert High Assurance EV Root CA
The keys in the certs are the same, but for some reason these attributes differ.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by TrevorH » 2018/04/23 16:26:23

And running /etc/pki/tls/misc/c_info on them has them both say the same thing:

subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
notAfter=Nov 10 00:00:00 2031 GMT
--------
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

kidgradius
Posts: 6
Joined: 2018/04/23 13:23:52

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by kidgradius » 2018/04/23 16:53:04

I appreciate the help.

If I am understanding what you are saying - the certs are the same; however, the attributes are different.

Just brainstorming here - where else could I check as to why the cert didn't work, even after symlinking to /etc/ssl/cert/?


Only after downloading the cert did the application work.

kidgradius
Posts: 6
Joined: 2018/04/23 13:23:52

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by kidgradius » 2018/04/26 16:14:54

Hi...
I appreciate the help; however, I am still confused as to what I am really looking at.

What am I looking at when I like at the content of the 'ca-bundle.trust.crt' file? I know the key differs from the one posted on DigiCert.com because it has extra characters in the output of the 'ca-bundle.trust.crt'; however, does that not matter?

kidgradius
Posts: 6
Joined: 2018/04/23 13:23:52

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by kidgradius » 2018/04/26 16:15:30

avij wrote:If you run openssl x509 -in certificate.crt -text -noout for both, you will notice that the only difference is:

Code: Select all

-Trusted Uses:
-  E-mail Protection, TLS Web Server Authentication
-No Rejected Uses.
-Alias: DigiCert High Assurance EV Root CA
The keys in the certs are the same, but for some reason these attributes differ.
What doe i run this command against? I am not sure where the cert file is located.

kidgradius
Posts: 6
Joined: 2018/04/23 13:23:52

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by kidgradius » 2018/04/26 16:16:04

TrevorH wrote:And running /etc/pki/tls/misc/c_info on them has them both say the same thing:

subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
notAfter=Nov 10 00:00:00 2031 GMT
--------
I am not familiar with this command - can you post cli syntax?

Thank you

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by TrevorH » 2018/04/26 16:37:48

It's just /etc/pki/tls/misc/c_info /path/to/certfile.pem

There are some other c_* utils in that same directory too.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

kidgradius
Posts: 6
Joined: 2018/04/23 13:23:52

Re: /etc/ssl/certs/ca-bundle.trust.crt shows different TRUSTED CERTIFICATE

Post by kidgradius » 2018/04/26 16:41:42

TrevorH wrote:It's just /etc/pki/tls/misc/c_info /path/to/certfile.pem

There are some other c_* utils in that same directory too.
Ok thank you... I have to be honest - I am not sure where the .pem for the DigiCert High Assurance EV Root CA resides. Do you know by any chance?

Thank you for your help... I am sort of new to Linux and trying to increase my knowledge of certs.

Post Reply