Certum Trusted Network CA 2 missing for a reason?

90 views
Skip to first unread message

basi...@gmail.com

unread,
Jan 28, 2019, 12:38:42 PM1/28/19
to mozilla-de...@lists.mozilla.org
Hi.
On various Linux distros I'm unable to access the certain site secured with "Certum Domain Validation CA SHA2". In particular, on Archlinux the trusted bundle comes from:

https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_41_1_RTM/src/nss-3.41.1.tar.gz

and it does not contain this. Chrome on Ubuntu works, but Firefox and command line tools fail.

Is it missing by mistake or for a reason?

wget https://lk.peterburgregiongaz.ru
--2019-01-28 12:00:44-- https://lk.peterburgregiongaz.ru/
Resolving lk.peterburgregiongaz.ru (lk.peterburgregiongaz.ru)... 109.120.162.59
Connecting to lk.peterburgregiongaz.ru (lk.peterburgregiongaz.ru)|109.120.162.59|:443... connected.
ERROR: cannot verify lk.peterburgregiongaz.ru's certificate, issued by ‘CN=Certum Domain Validation CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL’:
Unable to locally verify the issuer's authority.

Kathleen Wilson

unread,
Jan 28, 2019, 12:50:17 PM1/28/19
to basi...@gmail.com
"Certum Domain Validation CA SHA2" is an intermediate cert, that chains
up to the "Certum Trusted Network CA" root cert that is included in NSS.
NSS includes root certs / trust anchors (so not usually intermediate
certs).

Websites are expected to serve up the intermediate cert(s) along with
their TLS cert. The site https://lk.peterburgregiongaz.ru/ is only
serving up the TLS cert.

Other than that, I do not see any problem with the TLS cert:
https://crt.sh/?id=655675810

And the intermediate cert looks fine too -- just needs to be served up
by the webserver.
https://crt.sh/?id=5623969

Hope that helps.

Kathleen
Reply all
Reply to author
Forward
0 new messages