From Fedora Project Wiki

Description

This adds one of the intermediate certificate authorities to the blacklist, and causes certificates signed by that authority not to validate.

Setup

  1. Make sure to complete the prerequisites before starting this test.
  2. You should run through the System Trust test case first. Use this to verify that access works.
  3. You should not currently have a blacklisted Equifax Secure Certificate Authority root, which you may have done for the Blacklist Root test case.
    $ sudo rm -f /etc/pki/ca-trust/source/blacklist/EquifaxSecureCertificateAuthority.pem
  4. This test case connects to bugzilla.redhat.com on port 443
  5. If firefox, epiphany or other applications are running they must be exited, as they cache information.
  6. Access this page without SSL. This test case page may also be blacklisted in the process of this test. So use this link: http://fedoraproject.org/wiki/QA:Testcase_Certificate_Trust:Blacklist_Intermediate

How to test

  1. Blacklist the GeoTrust SSL CA intermediate certificate authority by its serial number and issuer DN:
    $ sudo cp ~/certificate-trust-test-cases/Distrust-intermediate-by-serial.p11-kit /etc/pki/ca-trust/source/
    The target source/ directory should already exist.
  2. Firefox should recognize the blacklisting:
    Quit firefox completely
    $ firefox https://bugzilla.redhat.com
    The page should not load.
    There should be an error page stating: "This Connection is Untrusted".
    Click on the Technical Details to see: "Error code: sec_error_untrusted_issuer"
    There should be no padlock icon.
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".

Expected Results

While executing each of the above commands, check the output matches what's noted for each command.

None of the above commands should load the target website.



Troubleshooting

  • At the time of writing this test, the intermediate cetrificate authority for the bugzilla.redhat.com certificate is "GeoTrust SSL CA". If this changes, the test may not work as expected.
  • RHBZ #924186: Firefox should be quit completely before testing.
  • RHBZ #924173: For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.
  • The file format of the file Distrust-intermediate-by-serial.p11-kit is an internal p11-kit file format, and how its used may not be completely obvious. Contact p11-glue@lists.freedesktop.org for help if you really do need to craft such a file at this time.

Notes

  • In Fedora 19 none of the other crypto libraries support blacklisting of intermediates certificate authorities. We aim to change this in the future.
  • In the future we aim to have a tool which automates this process.
  • In order to undo the effects of this test case, run the following commands:
$ sudo rm -f /etc/pki/ca-trust/source/Distrust-intermediate-by-serial.p11-kit
$ sudo update-ca-trust