Ask Your Question
3

How to blacklist a specific CA certificate?

asked 2015-04-02 15:10:46 -0500

With the recent news about CNNIC's misbehavior by issuing false certificates (the Great Firewall DDoS of github is one excample), I would like to take the steps to ensure my Fedora 21 workstation no longer trusts CNNIC-issued certs.

While their root certificate has not been revoked, both Google and Mozilla have announced, future updates where their browsers will no longer trust CNNIC. (Google Announcement, Mozilla Announcement)

What steps do I need to take to banish these certificates from my system, that will not interfere with the updates that will soon roll out?

edit retag flag offensive close merge delete

Comments

2

That is an excellent question, and very relevant to all Fedora users. I don't know the answer, but I can (and will) vote you up and give you some well deserved karma.

sideburns gravatar imagesideburns ( 2015-04-02 15:25:39 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
2

answered 2015-04-02 22:11:37 -0500

Since Fedora 19, the operating system employs a feature called SharedSystemCertificates to provide a centralized certificate store for applications to reference when trusting or distrusting certificates. I'm not sure what percentage of Fedora applications actually pay attention to this feature, but it seems to be high. A test with Firefox proves that it pays attention, at least. Unfortunately, software can choose how to handle certificates, so without Fedora enforcing the feature as a requirement for the operating system (not going to happen), you'll have to be diligent.

Nonetheless, the procedure for blacklisting CCNIC's root CA is pretty simple:

  1. Just to observe the effect of this process, you may wish to first test that the offending certificate is trusted in your application (example: use Firefox to browse to https://www.cnnic.net.cn/ and use the icon next to the URL of the site to gain "More Information" and then, under the "Security" section, "View Certificate" to note that the certificate is reported as verified)
  2. Obtain the CCNIC root certificate (along with an SSL certificate issued thereby and a ccnic.cn site certificate issued through the SSL certificate): < /dev/null openssl s_client -showcerts -connect www1.cnnic.cn:https > ccnic
  3. Place the certificate chain to be blacklisted in the appropriate directory: sudo mv ccnic /usr/share/pki/ca-trust-source/blacklist/
  4. Update the SharedSystemCertificates: sudo update-ca-trust extract
  5. Restart your application (Firefox) and navigate to https://www.cnnic.net.cn/ to prove that it now distrusts the certificate. Checking the certificate information should result in a window which explicitly informs you: "Could not verify this certificate because it is not trusted."
edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2015-04-02 15:10:46 -0500

Seen: 749 times

Last updated: Apr 02 '15