[SOLVED] How to maintain intermediate certificates in trust store?

deeenes · 2022-02-19 01:03:29

The website https://honiglab.c2b2.columbia.edu/ updated their certificate a couple of weeks ago (28 Jan 2022), and since then curl failed to validate the trust chain. Checking it by SSL Labs https://www.ssllabs.com/ssltest/analyze … lumbia.edu, it turned out that the chain is incomplete, an intermediate certificate has to be downloaded: the server's cert is signed by the "InCommon RSA" key, which is signed by "USERTrust RSA", the latter is a root certificate shipped in Arch's ca-certificates-mozilla package. Looking at Mozilla's page https://wiki.mozilla.org/CA they have separate lists for root and intermediate certificates. The intermediate certificates are not in the Arch package (but definitely available for Firefox, as it has no problem opening the page above). From this page: https://wiki.mozilla.org/CA/Intermediate_Certificates I accessed the CSV file "Non-revoked, non-expired Intermediate CA Certificates chaining up to roots in Mozilla's program with the Websites trust bit set", which contained the InCommon intermediate certificate. Then I manually copied it to a file and added to the system's certificates:

curl 'https://ccadb-public.secure.force.com/mozilla/MozillaIntermediateCertsCSVReport' | grep -Pzo '(?s)InCommon RSA[^-]+?0A05C[^-]+"\K-+BEGIN[^"]*(?=")' > incommon.crt
mv /tmp/incommon.crt  /etc/ca-certificates/trust-source/anchors/
update-ca-trust

After this the certificate was included in /etc/ca-certificates/extracted/tls-ca-bundle.pem (linked to /etc/ssl/cert.pem) and curl was able to download from the page mentioned above.

However, I doubt this should be an everyday procedure. I am wondering if there is any way to maintain the intermediate certs automatically, just like the root certs are updated by pacman?

Last edited by deeenes (2022-02-20 23:13:58)

-thc · 2022-02-19 15:35:56

It's the other way around: If a server (like honiglab.c2b2.columbia.edu) exchanges it's certificate in such a way, the intermediate certificate must be provided by the server too. For example apache had its own (now obsolete) configuration option for this purpose (SSLCertificateChainFile).

The host certificate and all the intermediate certificate have to be chained together. The client application only needs the root certificates.

Last edited by -thc (2022-02-19 15:43:13)

deeenes · 2022-02-20 23:13:24

Thanks, now it's all clear!

Arch Linux

#1 2022-02-19 01:03:29

[SOLVED] How to maintain intermediate certificates in trust store?

#2 2022-02-19 15:35:56

Re: [SOLVED] How to maintain intermediate certificates in trust store?

#3 2022-02-20 23:13:24

Re: [SOLVED] How to maintain intermediate certificates in trust store?

Board footer