From Fedora Project Wiki


This test verifies that an untrusted certificate without an anchor in the system certificate anchor list is rejected as expected.


  1. Make sure to complete the prerequisites before starting this test.
  2. This test case connects to on port 9431

How to test

  1. Verify that openssl rejects untrusted certificates:
    $ openssl s_client -verify 5 -connect
    You should see: Verify return code: 27 (certificate not trutsed)
  2. Check that gnutls rejects untrusted certificates:
    $ gnutls-cli -p 9431
    You should see: Status: The certificate is NOT trusted. The certificate issuer is unknown.
  3. Check that curl reject untrusted certificates:
    $ curl --head
    You should see: curl: (60) Peer's Certificate issuer is not recognized.
  4. Firefox should reject untrusted certificates:
    $ firefox
    The page should not load.
    There should be an error page stating: "This Connection is Untrusted".
    Click on the Technical Details to see: "Error code: sec_error_unknown_issuer"
    There should be no padlock icon.
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  5. Epiphany should reject untrusted certificates:
    $ epiphany
    Right of the URL bar should have an unlocked icon, with an exclamation mark.
    Clicking on the padlock should show a window which says "The identity of this website has not been verified"
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  6. Java should reject untrusted certificates:
    $ java -classpath ~/certificate-trust-test-cases TestCertTrust
    This uses the java test program that you compiled in the prerequisites.
    The output should say: PKIX path building failed: unable to find valid certification path to requested target

Expected Results

While executing each of the above commands, check the output matches what's noted for each command.

None of the above commands, with the exception of epiphany, should load the target page in question.


  • No notes at this time