This adds one of the intermediate certificate authorities to the blacklist, and causes certificates signed by that authority not to validate.
- Make sure to complete the prerequisites before starting this test.
- You should run through the System Trust test case first. Use this to verify that access works.
- You should not currently have a blacklisted Equifax Secure Certificate Authority root, which you may have done for the Blacklist Root test case.
$ sudo rm -f /etc/pki/ca-trust/source/EquifaxSecureCertificateAuthority.pem
- This test case connects to bugzilla.redhat.com on port 443
- If firefox, epiphany or other applications are running they must be exited, as they cache information.
- Access this page without SSL. This test case page may also be blacklisted in the process of this test. So use this link: http://fedoraproject.org/wiki/QA:Testcase_Certificate_Trust:Blacklist_Intermediate
How to test
- Blacklist the GeoTrust SSL CA intermediate certificate authority by its serial number and issuer DN:
$ sudo cp ~/certificate-trust-test-cases/Distrust-intermediate-by-serial.p11-kit /etc/pki/ca-trust/source/
- The target
source/directory should already exist.
- Firefox should recognize the blacklisting:
- Quit firefox completely
$ firefox https://bugzilla.redhat.com
- The page should not load.
- There should be an error page stating: "This Connection is Untrusted".
- Click on the Technical Details to see: "Error code: sec_error_untrusted_issuer"
- There should be no padlock icon.
- Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
While executing each of the above commands, check the output matches what's noted for each command.
None of the above commands should load the target website.
- At the time of writing this test, the intermediate cetrificate authority for the bugzilla.redhat.com certificate is "GeoTrust SSL CA". If this changes, the test may not work as expected.
- RHBZ #924186: Firefox should be quit completely before testing.
- RHBZ #924173: For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.
- The file format of the file Distrust-intermediate-by-serial.p11-kit is an internal p11-kit file format, and how its used may not be completely obvious. Contact firstname.lastname@example.org for help if you really do need to craft such a file at this time.
- In Fedora 19 none of the other crypto libraries support blacklisting of intermediates certificate authorities. We aim to change this in the future.
- In the future we aim to have a tool which automates this process.
- In order to undo the effects of this test case, run the following commands:
$ sudo rm -f /etc/pki/ca-trust/source/Distrust-intermediate-by-serial.p11-kit $ sudo update-ca-trust