gpg ca-cert-file=[which file???]

Sun Jul 16 17:16:00 GMT 2017

On 7/16/17, René Berber wrote:
> On 7/15/2017 11:56 PM, Lee wrote:
> [snip]
>> I'm guessing the "keyserver-options ca-cert-file=" needs to be
>> pointing at the ca-certificate package root store - but damnifiknow
>> where it is :(
> That lists what is being installed, and where.
> The tls-ca-bundle files contain the root certificates.

Thanks - that gets me a bit further down the rabbit hole.

I used
keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

which the ca-certificates bundle shows as a 0 byte file pointing to
which is also a 0 byte file??

but there's several README files, so let's take a look
  Distrust information cannot be represented in this file format,
  and distrusted certificates are missing from these files.

  oops. distrusted certs are missing, so I probably don't want to use
  keyserver-options ca-cert-file=/etc/pki/tls/cert.pem

  Please refer to the update-ca-trust(8) manual page for additional information.

  ok... man update-ca-trust
        Classic filename, file contains a list of CA certificates in
the extended BEGIN/END TRUSTED CERTIFICATE file format,
        which includes trust (and/or distrust) flags specific to
certificate usage. This file is a symbolic link that refers
        to the consolidated output created by the update-ca-trust command.

cool.. that sounds like what I want
  /etc/pki/tls/certs/ is a link to
so let's fix my gpg.conf:
$ grep "^keyserver" ~/.gnupg/gpg.conf
keyserver hkps://
keyserver-options check-cert=on

temporarily remove my list of public keys
$ mv ~/.gnupg/pubring.gpg ~/.gnupg/orig-pubring.gpg

start wireshark & give it a try
$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify
gpg: keyring `/home/Lee/.gnupg/pubring.gpg' created
gpg: assuming signed data in `'
gpg: Signature made Mon, Jun  5, 2017  2:31:57 PM EDT
gpg:                using RSA key 0xF1B11BF05CF02E57
gpg: requesting key 0xF1B11BF05CF02E57 from hkps server
gpg: key 0xF1B11BF05CF02E57: public key "Internet Systems Consortium,
Inc. (Signing key, 2017-2018) <>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing
key, 2017-2018) <>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57

yay!  I got the public key using TLS

$ cd /etc/pki/ca-trust/extracted/openssl
$ grep DigiNotar
# Explicitly Distrust DigiNotar Cyber CA
# Explicitly Distrust DigiNotar Cyber CA 2nd
# Explicitly Distrust DigiNotar Root CA
# Explicitly Distrust DigiNotar Services 1024 CA
# Explicitly Distrusted DigiNotar PKIoverheid
# Explicitly Distrusted DigiNotar PKIoverheid G2


$ grep CNNIC

  Mozilla currently recommends not trusting any certificates issued by
this CA after 1st April 2015. This covers two roots in our store -
"CNNIC ROOT" and "China Internet Network Information Center EV
Certificates Root".

back to man update-ca-trust
... and I'm lost :(

It looks like there's some certs in
/etc/pki/ca-trust/extracted/openssl/ that I don't
want to trust.. but how to tell which ones & how to set
distrust/blacklist trust flags on them?  or maybe I need to copy them
to /etc/pki/ca-trust/source/blacklist/ ???

Anyone have any pointers on how to distrust certs in (assuming that _is_ the file I should be using) or
even how to show exactly what's in there?
$ grep "#"
 shows lots of comments but
$ openssl x509  -in -noout -subject -dates
 just shows me the first cert :(


Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list