[GRLUG] DigiNotar Cert
Adam Tauno Williams
awilliam at whitemice.org
Mon Sep 5 11:05:19 EDT 2011
On Sat, 2011-09-03 at 23:30 -0400, Jeff DeFouw wrote:
> On Sat, Sep 03, 2011 at 09:05:30PM -0400, Jonathan Jesse wrote:
> > We were talking about the DigiNotar cert problem at the GRLUG social and I
> > wondered where that was stored on my system to remove it. I noticed today
> > an update for a package ca-certificates which made changes to
> > /etc/ssl/certs. Is there were that information is stored?
> > I still see the DigiNotar cert in Chrome that I can untrust but still no way
> > to delete it
> /etc/ssl/certs is a shared location often used by servers and command
> line tools, but it's up to each program.
+1 And it you remove/add certificates there don't forget to *rehash*
the directory; which is simply the most obscure action in all of
sys-admin land.
Usually "/usr/bin/c_rehash".
I've been doing this for ~20 years and I still occasionally forget about
the stupid rehash.
> I would expect programs with
> built-in certificate management like Firefox and Chrome have their own
> storage.
+1; on anything other than Windows a new/old certificate has to get
imported/approved//removed/revoked in multiple places.
At minimum the list is:
1. /etc/ssl [openSSL default cert repository)
2. Mozilla [if you use Firefox and/or Thunderbird]
3. Chrome [if you use that]
4. Seahorse [if you use certificates from GNOME applications]
<aside>I assume KDE has an equivalent to Seahorse; I have no idea what
that is.</aside>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the grlug
mailing list