Downloads

Pubcookie with Patches Adding Certificate Information on Errors

pubcookie-3.3.3p1.tgz
tls-cert-tools.tar

SSL Certificates

AddTrust-External-CA-Root.crt
COMODO-Certification-Authority.crt

Verify the Certificate File

Here-in lies a wee trust problem. You can download a copy of a needed certificate. But can you trust it? Yes, at least if you verify its signatures.

We have to trust the Certificate Authorities (CAs) bundled with our computer systems and/or our web browsers: with MS Windows, Firefox and/or Mac OS X. And we can check the cert file you find above with the certificate used by your browser. In Safari, one can see the details of the certificate of the weblogin certificate by clicking on either a lock icon or the green "University of Toronto" shown in the location bar. I can view the chain and its details. You can find COMODO Certificate Authority and see the fingerprint of the certificate in the details.

You might also browse your root certificate store with some menu navigation similar to Preferences » Security » View Certificates. If you can find the root certificate you need, you might be able to export it and then add it to your CA bundle. This is how the certificate files here were produced.

Once you have the certificate file on a system with OpenSSL tools, you can check the fingerprints against the fingerprints seen in your web browser.

	openssl x509 -in AddTrust-External-CA-Root.crt -noout -subject -issuer -fingerprint

which should confirm:

	subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
	issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
	MD5 Fingerprint=1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F

It shows the self-signed certificate that only root CAs should have. And the Fingerprint should be seen in your browser. You can view the SHA1 fingerprint with:

	# openssl x509 -in AddTrust-External-CA-Root.crt -noout -subject -issuer -sha1 -fingerprint
	subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
	issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
	SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68

Could someone fake two fingerprints (advanced math) plus hack this site? Yes, but the web's SSL certificate infrastructure relies on this being very very very hard.

Add the certificate to your CA bundle, which should be the "ssl_ca_file" in your Pubcookie config.

OpenSSL's x509 Tool

X.509 is the world standard for SSL certificates and OpenSSL's x509 tool will help you examine certificates (which often can only be seen as Base64-encoded ---BEGIN CERTIFICATE--- blocks or, sometimes, in a binary format). Use the following command to view the essential info:

    openssl x509 -in CERTFILE -noout -subject -issuer -dates -fingerprint

The files may be PEM format (---BEGIN CERTIFICATE---) or DER. In the latter case, use

    openssl x509 -in CERTFILE -inform DER -noout -subject -issuer -dates -fingerprint