Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is there any reliable way to distrust a ca-certificate?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sergeev917
n00b
n00b


Joined: 04 Apr 2014
Posts: 10

PostPosted: Wed Feb 03, 2016 9:38 am    Post subject: Is there any reliable way to distrust a ca-certificate? Reply with quote

I want to manage the list of certificate authorities which are installed in my system.

A way to add custom certificates is present -- it is mentioned in the man page of update-ca-certificates(8) that all certificates from /usr/local/share/ca-certificates are automatically pushed into the trusted store.

But I've failed to find a convenient way to distrust (remove from trusted store) a certificate which goes with standard distribution. /etc/ca-certificates.conf file has a header that says "do not edit" and "automatically generated", nevertheless it is protected from silent rewrite with /etc/env.d/98ca-certificates.

The hooks in /etc/ca-certificates/update.d are invoked after all processing is done, so using it will lead to overcomplicated scheme where an update will take two passes over certificate store (since there is a generation of batch-file /etc/ssl/certs/ca-certificates.crt with all trusted certificates in place).

I tried to find any usefull information on the topic, but it seems that this is not popular theme.
Is there any way to do such task (and without hacks which will be broken after some updates are introduced)?
Back to top
View user's profile Send private message
Schnulli
Guru
Guru


Joined: 25 Jun 2010
Posts: 320
Location: Bremen DE

PostPosted: Wed Feb 10, 2016 12:06 am    Post subject: Reply with quote

Hi
try out Seahorse, maybe it helps you, its a GUI App

regards
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Thu Feb 11, 2016 11:18 am    Post subject: Reply with quote

Seems to me you can delete whatever you don't want from /usr/share/ca-certificates and then run `update-ca-certificates --fresh`.

Obviously the untrusted CAs will return when you receive an update of app-misc/ca-certificates but you could mask that.
Back to top
View user's profile Send private message
sergeev917
n00b
n00b


Joined: 04 Apr 2014
Posts: 10

PostPosted: Thu Feb 11, 2016 11:26 am    Post subject: Reply with quote

> Seems to me you can delete whatever you don't want from /usr/share/ca-certificates and then run `update-ca-certificates --fresh`.

It is not exactly a stable solution: it will break qcheck scans, also there will be a problem with quickpkg-packages.
And I want to receive updates of ca-certificates since it is obvioulsy good idea in the first place (for example, distrust some revoked certificate).
The additional problem here is that ca-certificates ebuild don't have user epatch in it, so the workaround goes away from /usr/portage/patch to local overlay, which is not that great.
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Thu Feb 11, 2016 1:31 pm    Post subject: Reply with quote

A local overlay could still be auto generated from the regular portage tree. Simply sync with the corresponding part of the tree (/usr/portage/app-misc/ca-certificates), patch the ebuilds to accept your user patch/delete entries prior to merge and (re)generate the manifest.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Thu Feb 11, 2016 5:14 pm    Post subject: Reply with quote

I'd try revoking those certificates. You can do that with a certificate revocation list. Of course CRL that suits your purpose will be hard to find, so you have to create one.
To create CRL, you must be a certificate authority.
To be a certificate authority, you must poses a valid and trusted certificate.
Good news is, you can create that certificate with openssl, and then you can trust it. Gratz, you have just become your own certificate authority supporting one user (yourself!)

One thing I'm not sure with this way is whether or not you can revoke certificates issued by the 3rd parties. If you can... Well, revoking a certificate disables it permanently, so it should fix the problem for a long time: until a new certificate replaces the one you revoked.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum