|
|
08-25-2008, 04:59 PM
|
|
|
Fedora User Certificates
2008/8/22 Kai Engert <kaie@redhat.com>:
> Parts of the Fedora infrastructure do not use certificates issued by a
> CA already trusted by Firefox, but from Fedora's own certificate authority.
>
> If you decide to trust Fedora to issue certificates that can identify
> web sites, you could decide to import that CA cert to your set of
> trusted roots.
>
> You could go to https://admin.fedoraproject.org/fingerprints and install
> the CA certificate available from the bottom of that page.
>
> (Unfortunately the mime type currently is not application/x-x509-ca-cert
> so you have to safe that file, and then open it, you might even have to
> go to certificate manager and open the authorities tab, then import from
> there.)
>
> You can confirm the origin of the certificate by comparing the
> fingerprint presented by Firefox with the one listed on the fingerprints
> page (at least you'll know that the fingerprints page and the CA are
> controlled by the same people).
>
> Hope that helps,
> Kai
Has anyone had any luck importing the revocation list into Firefox?
When I choose the import button on the revocation list tab, I do not
get a file browser like I do with the other options. I just get a box
asking me where the revocation list information is stored, with a text
field. I put the absolute pathname in, click OK ... and nothing
happens. No error messages. No success either.
--
Jerry James
http://loganjerry.googlepages.com/
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 05:02 PM
|
|
|
Fedora User Certificates
Dennis Gilmore wrote:
ive had one other report of the certs being weird looking. and i was unable to
reproduce the issue. they look fine to me in all sources. from the original
all the way through what ive downloaded in the three exposed places. what did
you use to open them?
Vi.
$ vi .fedora-server-ca.cert
Compare top and bottom half of the file. First lines are too long
(because of the extra spaces), bottom lines not.
Or use "od -x" ...
~buc
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 06:07 PM
|
|
|
Fedora User Certificates
On Monday 25 August 2008 11:02:21 am Dmitry Butskoy wrote:
> Dennis Gilmore wrote:
> > ive had one other report of the certs being weird looking. and i was
> > unable to reproduce the issue. they look fine to me in all sources. from
> > the original all the way through what ive downloaded in the three exposed
> > places. what did you use to open them?
>
> Vi.
>
> $ vi .fedora-server-ca.cert
>
> Compare top and bottom half of the file. First lines are too long
> (because of the extra spaces), bottom lines not.
>
> Or use "od -x" ...
i use vi and it honestly is as expected. could you email me your copy of one
of the ca certs so i can see on the file you got. ive not been able to
reproduce it at all.
Dennis
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 06:23 PM
|
|
|
Fedora User Certificates
Dennis Gilmore wrote:
On Monday 25 August 2008 11:02:21 am Dmitry Butskoy wrote:
Dennis Gilmore wrote:
ive had one other report of the certs being weird looking. and i was
unable to reproduce the issue. they look fine to me in all sources. from
the original all the way through what ive downloaded in the three exposed
places. what did you use to open them?
Vi.
$ vi .fedora-server-ca.cert
Compare top and bottom half of the file. First lines are too long
(because of the extra spaces), bottom lines not.
Or use "od -x" ...
i use vi and it honestly is as expected. could you email me your copy of one
of the ca certs so i can see on the file you got. ive not been able to
reproduce it at all.
Sent you in private.
~buc
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 06:25 PM
|
|
|
Fedora User Certificates
On Mon, 25 Aug 2008 12:07:10 -0500, Dennis Gilmore wrote:
> On Monday 25 August 2008 11:02:21 am Dmitry Butskoy wrote:
> > Dennis Gilmore wrote:
> > > ive had one other report of the certs being weird looking. and i was
> > > unable to reproduce the issue. they look fine to me in all sources. from
> > > the original all the way through what ive downloaded in the three exposed
> > > places. what did you use to open them?
> >
> > Vi.
> >
> > $ vi .fedora-server-ca.cert
> >
> > Compare top and bottom half of the file. First lines are too long
> > (because of the extra spaces), bottom lines not.
> >
> > Or use "od -x" ...
>
> i use vi and it honestly is as expected. could you email me your copy of one
> of the ca certs so i can see on the file you got. ive not been able to
> reproduce it at all.
Just follow the thread...
$ wget https://admin.fedoraproject.org/accounts/fedora-server-ca.cert
$ emacs fedora-server-ca.cert
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 07:00 PM
|
|
|
Fedora User Certificates
On Mon, Aug 25, 2008 at 09:59:31AM -0600, Jerry James wrote:
> Has anyone had any luck importing the revocation list into Firefox?
> When I choose the import button on the revocation list tab, I do not
> get a file browser like I do with the other options. I just get a box
> asking me where the revocation list information is stored, with a text
> field. I put the absolute pathname in, click OK ... and nothing
> happens. No error messages. No success either.
I am far from on expert on such things, but I did happen to just do
this for my personal infrastructure. (Plus, I stayed at a Holiday
Inn Express last night!)
It looks to me like the CRL is in a PEM format instead of a DER format.
Perhaps the crl tool will convert it properly (haven't tried)?
http://www.openssl.org/docs/apps/crl.html
Hth!
John
--
John W. Linville
linville@redhat.com
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 07:21 PM
|
|
|
Fedora User Certificates
On Monday 25 August 2008 01:00:25 pm John W. Linville wrote:
> On Mon, Aug 25, 2008 at 09:59:31AM -0600, Jerry James wrote:
> > Has anyone had any luck importing the revocation list into Firefox?
> > When I choose the import button on the revocation list tab, I do not
> > get a file browser like I do with the other options. I just get a box
> > asking me where the revocation list information is stored, with a text
> > field. I put the absolute pathname in, click OK ... and nothing
> > happens. No error messages. No success either.
>
> I am far from on expert on such things, but I did happen to just do
> this for my personal infrastructure. (Plus, I stayed at a Holiday
> Inn Express last night!)
>
> It looks to me like the CRL is in a PEM format instead of a DER format.
> Perhaps the crl tool will convert it properly (haven't tried)?
>
> http://www.openssl.org/docs/apps/crl.html
http://www.freesoft.org/CIE/RFC/1422/34.htm
apache expects the crl to be pem format http://www.apache-
ssl.org/docs.html#SSLUseCRL we are using the crl with apache on the lookaside
cache and koji.
Dennis
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 07:44 PM
|
|
|
Fedora User Certificates
On Mon, Aug 25, 2008 at 01:21:26PM -0500, Dennis Gilmore wrote:
> On Monday 25 August 2008 01:00:25 pm John W. Linville wrote:
> > On Mon, Aug 25, 2008 at 09:59:31AM -0600, Jerry James wrote:
> > > Has anyone had any luck importing the revocation list into Firefox?
> > It looks to me like the CRL is in a PEM format instead of a DER format.
> > Perhaps the crl tool will convert it properly (haven't tried)?
> >
> > http://www.openssl.org/docs/apps/crl.html
>
> http://www.freesoft.org/CIE/RFC/1422/34.htm
>
> apache expects the crl to be pem format http://www.apache-
> ssl.org/docs.html#SSLUseCRL we are using the crl with apache on the lookaside
> cache and koji.
Sure, fine. But Jerry was trying to load the CRL into his browser,
and AFAIK Firefox wants the DER format.
John
--
John W. Linville
linville@redhat.com
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-25-2008, 09:00 PM
|
|
|
Fedora User Certificates
Dennis Gilmore wrote:
> i use vi and it honestly is as expected. could you email me your
> copy of one of the ca certs so i can see on the file you got. ive
> not been able to reproduce it at all.
Take a look at the files with :set list on in vim, e.g.:
curl https://admin.fedoraproject.org/accounts/fedora-upload-ca.cert|
vim -c 'set list' -
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Sometimes you get the blues because your baby leaves you. Sometimes
you get'em 'cause she comes back.
-- B.B. King
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
08-26-2008, 09:42 AM
|
|
|
Fedora User Certificates
On Mon August 25 2008, Dennis Gilmore wrote:
> i use vi and it honestly is as expected. could you email me your copy of
> one of the ca certs so i can see on the file you got. ive not been able
> to reproduce it at all.
I can reproduce it with:
curl --silent https://admin.fedoraproject.org/accounts/fedora-server-ca.cert |
xxd | head -n 241
Regards,
Till
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
|
|
|
All times are GMT. The time now is 08:43 PM.
VBulletin, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org
|
