From Fedora Project Wiki


This tests configuring an additional certificate authority anchor on the system, which causes certificates signed by that anchor to be trusted.


  1. Make sure to complete the prerequisites before starting this test.
  2. You should run through the Untrusted Certificate Test Case first.
  3. This test case connects to on port 9431
  4. If firefox, epiphany or other applications are running they must be exited, as they cache information.

How to test

  1. Copy the new certificate authority into the right place so it is treated as an anchor for other certificates:
    $ sudo cp ~/certificate-trust-test-cases/Cert-trust-test-ca.pem /etc/pki/ca-trust/source/anchors/
    The target anchors/ directory should already exist.
  2. Firefox should use the new system anchor automatically:
    Quit firefox completely
    $ firefox
    The page should load without an error message.
    Left of the URL should have a standard gray padlock, without a warning triangle.
    When you hover your mouse over the gray padlock, it should say "Verified by: p11-kit Test Org"
    Click on the icon, then click on More Information, then on View Certificate, , then on Details. Click on the top certificate (top line) in the Certificate Hierarchy. In certificate fields there should be a line that says: "System Trust:p11-kit Test CA"
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  3. The other tests below require extraction of the system ca-trust compatibility bundles:
    $ sudo update-ca-trust
    This extracts the new bundles so that gnutls, openssl, and java and so on can make use of them.
    There should be no output from this command.
  4. Verify that openssl recognizes the new anchor:
    $ openssl s_client -verify 5 -connect
    You should see: Verify return code: 0 (ok)
    Press Ctrl-C to exit
  5. Check that gnutls recognizes the new anchor:
    $ gnutls-cli -p 9431
    You should see: Status: The certificate is trusted.
    Press Ctrl-C to exit
  6. Check that curl recognizes the new anhcor:
    $ curl -w "Verify: %{ssl_verify_result}\n" --head
    You should see: Verify: 0
  7. Epiphany should use the new anchor:
    Quit epiphany completely
    $ epiphany
    Right of the URL bar should have a standard gray padlock
    Clicking on the padlock should show a window which says "The identity of this website has been verified"
    Messages on the console from epiphany are probably unrelated to this test, unless they say "p11-kit".
  8. Java should use the new anchor:
    $ java -classpath ~/certificate-trust-test-cases TestCertTrust
    This uses the java test program that you compiled in the prerequisites.
    The output should say connection worked

Expected Results

While executing each of the above commands, check the output matches what's noted for each command. You should see no errors or warnings about invalid certificates or verification that failed.


  • RHBZ #924186: Epiphany and Firefox should be quit completely before testing.
  • RHBZ #924173: For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.