ca-certs for https://git.php.net

Sun Mar 14 04:06:36 CET 2021

On Fri, Mar 12, 2021 at 21:36:09 +0200, Elan Ruusamäe wrote:

> $ q ca-certificates
> ca-certificates-20210119-3.noarch
> 
> 
> here's probably the problem source, the host has ca-certificates 
> installed, and very old config:
> 
> $ l /etc/ca-certificates.conf*
> -rw-r--r-- 1 root root 6.3K Feb  1  2010 /etc/ca-certificates.conf
> -rw-r--r-- 1 root root 5.5K Mar 12 12:51 /etc/ca-certificates.conf.rpmnew
> 
> perhaps the package provided certs should be moved to 
> /usr/share/ca-certificates/ca-certificates.conf and 
> /etc/ca-certificates.conf be only local customizations?

Do not reinvent the wheel, introduce distro-agnostic and widly adopdet update-ca-trust:

https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7
https://gist.github.com/kekru/deabd57f0605ed95d5c8246d18483687
https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/
https://wiki.archlinux.org/index.php/User:Grawity/Adding_a_trusted_CA_certificate
https://fedora.pkgs.org/32/fedora-x86_64/ca-certificates-2020.2.40-3.fc32.noarch.rpm.html
https://fedoraproject.org/wiki/CA-Certificates

Second thing - please move away all the additional/local (national) CAs from global
package; I don't trust ESTEID, you shouldn't trust Certum (or should you? [1]).

I have no idea, if Terena should be trusted by default:
https://www.geant.org/Services/Trust_identity_and_security/Pages/TCS.aspx
https://wiki.geant.org/display/TCSNT/TCS+wiki+%282020%29+Sectigo

but I definitely do not need them:

https://wiki.geant.org/display/TCSNT/TCS+Participants+Sectigo

OTOH I use NCCert-signed EuroCert certificates for ePUAP validation. Here comes the quest:
find the valid ones.

https://www.nccert.pl/ root CA:
	-> https://www.nccert.pl/files/nccert2016.crt

https://www.nccert.pl/zaswiadczenia.htm EuroCert_QCA3_2017.crt doesn't work
	-> https://www.nccert.pl/files/EuroCert_QCA3_2017.crt
        Serial Number:
            47:00:3d:10:9e:95:cc:29:5e:b6:3a:b7:82:43:0c:55:e7:e4:b7:63
        Issuer: C=PL, O=Narodowy Bank Polski, CN=Narodowe Centrum Certyfikacji/2.5.4.97=VATPL-5250008198
        Validity
            Not Before: Mar 14 11:39:23 2017 GMT
            Not After : Mar 14 23:59:59 2028 GMT
        Subject: 2.5.4.97=VATPL-9512352379, C=PL, O=EuroCert Sp. z o.o., CN=Centrum Kwalifikowane EuroCert

https://eurocert.pl/pub/Prawo/		QCA03_Eurocert_2017.der works fine
	-> https://eurocert.pl/pub/Prawo/QCA03_Eurocert_2017.der
        Serial Number:
            1a:57:34:b0:d4:72:d2:51:e1:d3:7c:fe:3d:79:6a:c1:17:10:24:90
        Issuer: C=PL, O=Narodowy Bank Polski, CN=Narodowe Centrum Certyfikacji/2.5.4.97=VATPL-5250008198
        Validity
            Not Before: Feb 14 12:26:19 2017 GMT
            Not After : Feb 14 23:59:59 2028 GMT
        Subject: 2.5.4.97=VATPL-9512352379, C=PL, O=EuroCert Sp. z o.o., CN=Centrum Kwalifikowane EuroCert

However - and this might also be the case of ESTEID - I do use the
NCCert CA to validate the documents, but I don't need them to be in the
main CA bundle and trusted by default by all the system apps.

These certificates are used for private resources and might simply
reside in separate directory (I use /etc/pki/nccert) to be pointed when needed.

[1] back in 2003 I've also added Unizeto (Certum):
http://git.pld-linux.org/packages/certificates

It's been 18 years and if they didn't make it into some global widely
adopted bundle, they should go into separate subpackage.

In general, we shouldn't mix CAs from different resources (unless we're
going to start and really manage our own list).

Even more, I'd be pleased if the main bundle was split into parts of
globally respected ones and the rest. I don't need to trust any CA from
Brasil, China, Turkey (Kamu!) or Hungary.

https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F
https://wiki.mozilla.org/CA/Additional_Trust_Changes

We should be able to select alternate lists, e.g.:
https://support.google.com/a/answer/7448393
https://www.chromium.org/Home/chromium-security/root-ca-policy

Thus:
ca-certificates -> virtual package falling back to R: ca-root-bundle-mozilla
ca-root-bundle-mozilla - mozilla root program
ca-root-bundle-chrome - chrome root program (https://g.co/chrome/root-store)
ca-root-bundle-microsoft - https://aka.ms/RootCert
ca-root-individual-pl-{asseco,kir} - Asseco/Unizeto/Certum, KIR (polish ones)
ca-root-individual-letsencrypt - single CA if I don't want any bundle
ca-root-individual-{google,apple,microsoft...} - ...and compose my own list
ca-root-private-* - installed in a way, that doesn't merge them into global CA
		(NCCert, possibly ESTEID)

-- 
Tomasz Pala <gotar at pld-linux.org>