[pca] getupdates.oracle.com now available for testing! - certs q
Martin Paul
martin at par.univie.ac.at
Fri Nov 19 11:59:48 CET 2010
Don O'Malley wrote:
> Which certs are required? (These may have changed since the Oracle acquisition)
>
> CN=GTE CyberTrust Global Root
> CN=VeriSign Class 3 Secure Server CA - G2
See attached copy of getupdates.pem, in which I've included information
about "Subject" and "Issuer" of each of the 5 included certificates. I
used "openssl x509 -in <cert.pem> -noout -text" for that.
You'll see that nothing has changed for the Akamai cert (4), it still
requires the same "GTE CyberTrust Global Root" (5).
For the Oracle cert (1), two Verisign certs a required, as it is signed
by "VeriSign International Server CA - Class 3" (2) which itself is
signed by "Class 3 Public Primary Certification Authority" (3).
It's kind of strange/unusual that the certs for Oracle/Akamai themselves
are included in the PEM file. These are presented to the user/wget when
accessing the servers, so they aren't needed in the ca-file, IMHO.
Should do no harm, though, but I plan to include only 2/3/5 in PCA.
And, BTW, we wouldn't need to talk about all this if Sun/Oracle would
deliver a default set of CA certificates with OpenSSL in Solaris for
wget to be used, like IMO all Linux distributions do (just like
webbrowsers include them). I think there's an open Feature Request on
that for a loooong time. No idea why this was never implemented.
Martin.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: getupdates.pem
Url: https://lists.univie.ac.at/mailman/private/pca/attachments/20101119/3f5e108f/attachment.pl
More information about the pca
mailing list