Updated Trust Stores, Java added
This is an update of the root certificate stores. Date from each store is from yesterday. Description update. Also the Java certificate store was added. Previously Java was omitted as it appeared not to be complete. I tested successfully this store.
This commit is contained in:
parent
1416ff620b
commit
f708e1420e
7303
etc/Apple.pem
7303
etc/Apple.pem
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
6563
etc/Linux.pem
6563
etc/Linux.pem
File diff suppressed because it is too large
Load Diff
1496
etc/Microsoft.pem
1496
etc/Microsoft.pem
File diff suppressed because it is too large
Load Diff
1251
etc/Mozilla.pem
1251
etc/Mozilla.pem
File diff suppressed because it is too large
Load Diff
|
@ -1,25 +1,28 @@
|
||||||
|
|
||||||
#### Certificate stores
|
### Certificate stores
|
||||||
|
|
||||||
The certificate stores were retrieved by
|
The certificate trust stores were retrieved from
|
||||||
|
|
||||||
* Mozilla; see https://curl.haxx.se/docs/caextract.html
|
* **Linux:** Copied from an up-to-date Debian Linux machine
|
||||||
* Linux: Just copied from an up-to-date Linux machine
|
* **Mozilla:** https://curl.haxx.se/docs/caextract.html
|
||||||
* Microsoft: Following command pulls all certificates from Windows Update services: (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions): ``CertUtil -syncWithWU -f -f . ``.
|
* **Java:** JRE keystore pulled + extracted with keytool from a Linux machine from $JAVA_HOME/jre/lib/security/cacerts
|
||||||
* Apple: It comes from Apple OS X keychain app. Open Keychain Access utility, i.e.
|
* **Microsoft:** Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
|
||||||
|
* **Apple:**
|
||||||
|
1. __System:__ from Apple OS X keychain app. Open Keychain Access utility, i.e.
|
||||||
In the Finder window, under Favorites --> "Applications" --> "Utilities"
|
In the Finder window, under Favorites --> "Applications" --> "Utilities"
|
||||||
(OR perform a Spotlight Search for Keychain Access)
|
(OR perform a Spotlight Search for Keychain Access)
|
||||||
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
|
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
|
||||||
--> "Category" --> "All Items"
|
--> "Category" --> "All Items"
|
||||||
Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
|
Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
|
||||||
|
2. __Internet:__ Pick the latest subdir from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension.
|
||||||
|
|
||||||
In this directory you can also save e.g. your company Root CA(s) in PEM
|
Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.
|
||||||
format, extension ``pem``. This has two catches momentarily: You will still
|
|
||||||
get a warning for the other certificate stores while scanning internal net-
|
If you want to test against e.g. a company internal CA you want to avoid warnings from the certificate stores here it's recommended to use ``ADDITIONAL_CA_FILES=<companyCA.pem ./testssl.sh <your cmdline>``. (The former mechanism was to put the company root CA certificate here.)
|
||||||
works. Second catch: If you scan other hosts in the internet the check against
|
|
||||||
your Root CA will fail, too. This will be fixed in the future, see #230.
|
|
||||||
|
#### Further files
|
||||||
|
|
||||||
#### Further needed files
|
|
||||||
* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests
|
* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests
|
||||||
|
|
||||||
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
|
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
|
||||||
|
@ -27,7 +30,7 @@ your Root CA will fail, too. This will be fixed in the future, see #230.
|
||||||
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
|
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
|
||||||
``~/utils/create_ca_hashes.sh`` for an update
|
``~/utils/create_ca_hashes.sh`` for an update
|
||||||
|
|
||||||
* ``common-primes.txt`` is used for LOGJAM
|
* ``common-primes.txt`` is used for LOGJAM and the PFS section
|
||||||
|
|
||||||
* ``client-simulation.txt`` as the name indicates it's the data for the client simulation. Use
|
* ``client-simulation.txt`` as the name indicates it's the data for the client simulation. Use
|
||||||
``~/utils/update_client_sim_data.pl`` for an update. Note: This list has been manually
|
``~/utils/update_client_sim_data.pl`` for an update. Note: This list has been manually
|
||||||
|
|
Loading…
Reference in New Issue