Fresh certificate marked as expired / messed-up certificate chain pulling expired root cert in gpgsm
Dr. Thomas Orgis
thomas.orgis at uni-hamburg.de
Sat Jul 20 20:07:37 CEST 2019
Hi,
thanks for looking at this …
am Sat, 20 Jul 2019 11:01:49 +0200
schrieb Dirk Gottschalk <dirk.gottschalk1980 at googlemail.com>:
> This is the issue here. These two certs of DTAG (Telekom) are exired
> and that's the reason why gpgsm is complaining correctly.
Please check again my original post, though. The issue I see is that
these certs are not even supposed to be in the chain! To repeat the
summary, which may be lost in the noise before it:
The chain in the imported new key & cert file how it should be:
4. Thomas Orgis (me) signed by DFN-Verein Global Issuing CA
3. DFN-Verein Global Issuing CA signed by DFN-Verein Certification Authority 2
2. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
1. T-TeleSec GlobalRoot Class 2 signed by T-TeleSec GlobalRoot Class 2 (root)
Compared to what gpgsm sees/shows:
4. Thomas Orgis (me) signed by DFN-Verein Global Issuing CA
3. DFN-Verein Global Issuing CA signed by DFN-Verein Certification Authority 2
2. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
1. T-TeleSec GlobalRoot Class 2 signed by Deutsche Telekom Root CA 2
0. Deutsche Telekom Root CA 2 signed by Deutsche Telekom Root CA 2 (expired root)
The bogus signatures by the old Telekom certificates appear only after
importing in gpgsm, and colleagues using the same kind of certificates
use them without problem in software not relying on gpgsm. So I assume
the presence of the old certificates stirs things up. When I create a
fresh user and import the new key with its certs into gpgsm, the chain
looks like it should.
/home/tester/.gnupg/pubring.kbx
-------------------------------
ID: 0x310C60AF
Issuer: /CN=DFN-Verein Global Issuing CA/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
Subject: /CN=Thomas Orgis/OU=HPC/OU=Basis-Infrastruktur/OU=RRZ/O=Universitaet Hamburg/L=Hamburg/ST=Hamburg/C=DE
validity: 2019-07-05 08:22:41 through 2022-07-04 08:22:41
Certified by
ID: 0xD9463C45
Issuer: /CN=DFN-Verein Certification Authority 2/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
Subject: /CN=DFN-Verein Global Issuing CA/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
validity: 2016-05-24 11:38:40 through 2031-02-22 23:59:59
chain length: 1
Certified by
ID: 0xD3A89A93
Issuer: /CN=T-TeleSec GlobalRoot Class 2/OU=T-Systems Trust Center/O=T-Systems Enterprise Services GmbH/C=DE
Subject: /CN=DFN-Verein Certification Authority 2/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
validity: 2016-02-22 13:38:22 through 2031-02-22 23:59:59
chain length: 2
Certified by
ID: 0x17D894E9
Issuer: /CN=T-TeleSec GlobalRoot Class 2/OU=T-Systems Trust Center/O=T-Systems Enterprise Services GmbH/C=DE
Subject: /CN=T-TeleSec GlobalRoot Class 2/OU=T-Systems Trust Center/O=T-Systems Enterprise Services GmbH/C=DE
validity: 2008-10-01 10:40:14 through 2033-10-01 23:59:59
chain length: unlimited
So this looks like a corruption in my keyring that includes the history
of using gpgsm for about 5 years:-/ I now could play games with
exporting keys and starting with a fresh database … but I'd like to
have understood first what happened here.
Regards,
Thomas
--
Dr. Thomas Orgis
HPC @ Universität Hamburg
More information about the Gnupg-users
mailing list