On Wednesday, June 2, 2021 12:28:49 AM CEST Fannys wrote: > On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" <jo...@antarean.org> wrote: > >On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: > >> On Sat, May 29, 2021 at 03:08:39AM +0200, zca...@gmail.com wrote > >> > >> > 125 config files in /etc/ssl/certs needs update. > >> > > >> > For certificates I would expect the old and invalid ones to be > > > >replaced > > > >> > by newer ones without user intervention. > >> > > >> Looking through them is "interesting". There seem to be a lot of > >> > >> /etc/ssl/certs/????????.0 files, where "?" is either a random number > > > >or > > > >> a lower case letter. These all seem to be symlinks to > >> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a > >> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How > > > >much > > > >> do we trust China? There are a couple of certificates in there named > >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and > >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any > >> other suspicious regimes in there? > > > >I've always wondered about the amount of CAs that are auto-trusted on > >any > >system. Including several from countries with serious human rights > >issues. > > > >I could do with a tool where I can easily select which CAs to trust > >based on > >country. > > > >-- > >Joost > > Is there actually any tool that can let me pick my certificates? > If i go and start deleting randomly certificates from regimes i dont like > will there be any "breaking change"? I suppose firefox uses its own > certificate store though.
If the CA is removed from your system/app/..., any key signed by that CA will be seen as "untrusted" (treated as if self-signed) and you need to go through the usual hoops to allow that certificate to be used. -- Joost
