I actually recently renewed my certificates and I see they were already using the X1 root certificate and while I don't see the X3 certificate as an issuer for that certificate when looking at the certificate chain in my browser I do still see it when using openssl to either connect to the web server or to look at the root certificate directly which I pulled from fullchain.pem with openssl x509. I have another web server which I hadn't updated yet and I grabbed the certificate from there with the same command and running "update-ca-trust extract" printed messages that it was overriding trust for the X3 anchor a few times. I've updated the ca-certificates package on my web server and it no longer has the X3 certificate in the bundle - I checked with the trust command before I updated and I found it there but didn't see it after the update - so the steps you previously mentioned to add it to the blacklist after updating the package did not work, I suppose that should be done first. Should work, ensure you have updated your ca-certificates on your server.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |