/etc/ssl/certs/ca-cert.pem contains a private key: sascha@cube:/etc/ssl/certs$ cat ca-cert.pem -----BEGIN CERTIFICATE----- MIIC5TCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzODUxWhcN MDUwNzEwMjEzODUxWjBbMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxGzAZBgNVBAMTElRlc3QgQ0Eg KDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo7ujy3XXpU/p yDJtOxkMJmGv3mdiVm7JrdoKLUgqjO2rBaeNuYMUiuI6oYU+tlD6agwRML0Pn2JF b90VdK/UXrmRr9djaEuH17EIKjte5RwOzndCndsjcCYyoeODMTyg7dqPIkDMmRNM 5R5xBTabD+Aji0wzQupYxBLuW5PLj7ECAwEAAaOBtzCBtDAdBgNVHQ4EFgQU1WWA U42mkhi3ecgey1dsJjU61+UwgYQGA1UdIwR9MHuAFE0RaEcrj18q1dw+G6nJbsTW R213oWCkXjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0 IGJpdCmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBb39BRphHL 6aRAQyymsvBvPSCiG9+kR0R1L23aTpNbhXp2BebyFjbEQYZc2kWGiKKcHkNECA35 3d4LoqUlVey8DFyafOIJd9hxdZfg+rxlHMxnL7uCJRmx9+xB411Jtsol9/wg1uCK sleGpgB4j8cG2SVCz7V2MNZNK+d5QCnR7A== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425 gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd 2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6 hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2 J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL 21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2 XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ -----END RSA PRIVATE KEY----- sascha@cube:/etc/ssl/certs$ qpkg -f ca-cert.pem dev-libs/openssl * Reproducible: Always Steps to Reproduce: Gentoo Base System version 1.4.3.13 Portage 2.0.50-r3 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-cube-3) ================================================================= System uname: 2.4.25-cube-3 i686 AMD Athlon(tm) XP 1700+ distcc 2.12.1 i586-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] Autoconf: sys-devel/autoconf-2.58-r1 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium -mcpu=athlon-xp -O3 -pipe" CHOST="i586-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /usr/vice/etc /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/afs/C /etc/afs/afsws /etc/afs/modload /etc/gconf /etc/make.globals /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox strict userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.easynet.nl/mirror/gentoo/ http://gentoo.inode.at/ ftp://gentoo.inode.at/source/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://hybrid.sascha.silbe.org/gentoo-portage" USE="3dnow X acl afs apm avi berkdb cdr crypt doc dvd encode foomaticdb gdbm gif gtk gtk2 gtkhtml guile hbci imap imlib ipv6 j-noaim j-nomsn j-noyahoo jpeg krb4 lcms libg++ libwww linguas_en,de mad maildir mbox mikmod mmx monitor mpeg mysql nas ncurses nls oggvorbis opengl oss pam pdflib png postgres python qt qtmt quicktime readline samba sdl skey spell sse ssl tetex tiff truetype unicode x86 xml xml2 xv zlib"
Same with several other certificate files in /etc/ssl/certs: sascha@cube:/etc/ssl/certs$ grep PRIVATE *.pem ca-cert.pem:-----BEGIN RSA PRIVATE KEY----- ca-cert.pem:-----END RSA PRIVATE KEY----- dsa-ca.pem:-----BEGIN DSA PRIVATE KEY----- dsa-ca.pem:-----END DSA PRIVATE KEY----- dsa-pca.pem:-----BEGIN DSA PRIVATE KEY----- dsa-pca.pem:-----END DSA PRIVATE KEY----- pca-cert.pem:-----BEGIN RSA PRIVATE KEY----- pca-cert.pem:-----END RSA PRIVATE KEY----- WTF is this?
the certs are copied from the tarball of openssl themselves ... it's not like they were generated by the ebuild as such ...
Is the ca-cert key supposed to match the root key from ca-cert.org? Because it doesnt seem to. The dates are different, so are the CN fields. One is labeled as a Test Certificate I'm looking at /etc/ssl/certs/ca-cert.pem and http://www.cacert.org/cacert.crt This is where I check the one that came with the openssl package. Note the CN says "Test PCA" ---------------------------------------------------------------- #cd /etc/ssl/certs #openssl x509 -noout -in ./ca-cert.pem -issuer -dates -subject -hash -fingerprint -subject issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) notBefore=Dec 2 21:38:51 1999 GMT notAfter=Jul 10 21:38:51 2005 GMT 1f6c59cd MD5 Fingerprint=EF:02:83:EA:AC:AF:6A:D0:8D:4F:56:A8:2B:A1:C5:D3 subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) And this one is from cacert.org. The CN now says "CA Cert Signing" ------------------------------------------------------------------- #cd /tmp #wget http://www.cacert.org/cacert.crt #openssl x509 -noout -in ./cacert.crt -issuer -dates -subject -hash -fingerprint -subject issuer= /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org notBefore=Mar 30 12:29:49 2003 GMT notAfter=Mar 29 12:29:49 2033 GMT 5ed36f99 MD5 Fingerprint=A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B subject= /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
files come from upstream
