[colug-432] expired keys

Rick Troth rmt at casita.net
Tue Jul 12 19:31:39 EDT 2016


certs and keys and PKI, oh my!


On 07/12/2016 05:01 PM, Rob Funk wrote:
>   openssl s_client -connect www.hpc.mil:443

Yet another handy incantation of 'openssl'. Thanks Rob! Making a note of
that one.


> Shows me this certificate chain:
>  0 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=OSD/CN=www.hpc.mil
>    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
>  1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
>    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
>  2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
>    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
>
> That last one is self-signed. Most likely the people who use such
> sites often are set up to accept it.

Quite.
Last one calls itself a "root".
Root PKI certs are always self signed.
Root PKI certs only work when they are pre-loaded into the trust store
(e.g., of your browser).

Have been doing a lot of customer hand-holding lately on exactly this
issue.


> (When I look at it in Firefox I get an Unknown Issuer error.)

Which is exactly right. FF is simply saying that the final cert in that
chain is not in its brain.

This is all a matter of trust.

PKI is a cathedral model. Dotmil sites do their own thing. (They don't
outsource to Verisign or whomever. And they can mangle their own PCs on
their own terms.) Same thing happens with big companies: server certs
for internal sites may be issued by an internal CA. The root cert(s) for
that internal CA must be pre-loaded into the Windoze trust thingy.
(Which is what IE will use. FF and Chrome are more traditional, but your
corporate IT people know how to fix those ... if they care.) The PKI
model requires one or more "cathedrals" where you go for blessing.
PGP/GPG is more lay-minister kind of thing. (We can bless each other,
thank you very much. Or get blessed at the bazaar ... er, uh ... key
signing party.)

It's not rocket surgery, but it's also not common knowledge. Maybe a
COLUG topic?

-- R; <><



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20160712/3d7fed13/attachment-0001.html 


More information about the colug-432 mailing list