Re: certificate expiry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Samuel,

On 10/02/18 09:29, Samuel Sieb wrote:

On 02/05/2018 01:01 PM, Eyal Lebedinsky wrote:

As of a month ago I started getting warnings from certwatch saying
     The certificate for Certificate Shack has expired
and
     The certificate for Frank Alpha has expired
which have now expired a week ago.

I wanted to find out who these hosts are and should I care about the expired certs.

So far I found these two (and no others) mentioned in the file
     -rw-r----- 1 root apache 65536 Jan 26  2014 /etc/httpd/alias/cert8.db
which is an old file which seems to be part of the mod_nss package.

Are these real certs? Test ones left there for no reason?

If they are not needed then what is the correct way to remove them, short of
removing the nss_mod module.


I expect they are sample certs, but I don't know why they are included. I don't see those on my server, but my database is much older.

To remove them, go to the /etc/httpd/alias directory.  Run "certutil -L -d ." to make sure of the names.


$ sudo certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
alpha                                                        u,pu,u

'man certutil' seems to not list the meaning of the attributes flags.
I can guess C and T from the args to '-t' but 'u' is not listed. Maybe just 'untrusted'?


  Then you can run "certutil -D -d . -n 'Frank Alpha'" for example to remove them from the database.


$ sudo certutil -D -d . -n 'Frank Alpha'
certutil: could not find certificate named "Frank Alpha": SEC_ERROR_BAD_DATABASE: security library: bad database.
$ sudo certutil -D -d . -n alpha
$ sudo certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u

$ sudo certutil -D -d . -n cacert
$ sudo certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u


I will keep an eye on any unusual messages.

--
Eyal at Home (fedora@xxxxxxxxxxxxxx)
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux