CertUtil asking the end-user for confirmation

Техника
  • Index
  • Applications & Desktop Environments
  • [SOLVED] Citrix client GlobalSign Root CA

The easiest solution is to incorporate the answer in the script like this:

echo Y | CertUtil.exe ....

This method doesn’t always work for all programs, so it still needs some testing on your side.

For message-boxes, you can use nircmd with the dlg parameter.
In a script, you may also use the built-in command timeout /t seconds to give the message box the specified number of seconds in which to appear.

Here is an extract of the help file:

Allows you to interact with standard
dialog-boxes and message-boxes of
Windows. When a dialog-box is opened,
you can use this command to «click»
the ok/cancel/yes/no buttons, or fill
the text-boxes in the dialog-box.

Description

On August 1, 2019, Microsoft announced the Microsoft Trusted Root Program is ending support for cross-signed root certificates with kernel-mode signing capabilities. In 2021, most of the cross-signed certificates expire. 

In order to have your signature be compliant with Microsoft Guidelines, it will need to expire prior to June 30, 2021. You can use the custom_expiration_date API variable to create a copy of your certificate with an appended expiration date. If you have any additional questions, please contact our support team.

Note: All existing cross-signed root certificates with kernel-mode signing capabilities continue to work until they expire. See Expiration dates of DigiCert brand trusted cross-signed certificates.

I’m attempting to visit https://www.duluthtrading.com/, and I’m receiving an untrusted certificate error on Windows 7. This happens in both IE and Chrome (as both use the Windows certificate store).

Here’s the certificate chain:

  • VeriSign Universal Root Certification Authority
    • Symantec Class 3 Secure Server SHA256 SSL CA (‎e7 32 73 e5 3a cf e8 0f 41 0b 3e f4 6b 18 02 87 a0 04 40 cd)
      • www.duluthtrading.com (‎6e 70 94 1a e6 39 88 9a 64 fa cb 76 34 af 62 e6 43 83 66 cf)

The problem is, the Root CA (VeriSign Universal Root Certification Authority) is not trusted on this problematic system. This machine is up-to-date via Windows Update.

I looked on another Windows 7 VM (which was less up-to-date), and the certificate was there, under «Third-Party Root Certification Authorities». This VM had fewer certificates.

Why is this CA certificate missing?

How can I fix this machine?


Event 4101, CAPI2
Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4.crt> with error: 12007 (0x2ee7).

Я пытаюсь посетить https://www.duluthtrading.com/, и я получаю ошибку ненадежного сертификата в Windows 7. Это происходит как в IE, так и в Chrome (поскольку оба используют хранилище сертификатов Windows).

вот цепочка сертификатов:

  • Универсальный Корневой Центр Сертификации VeriSign
    • Symantec Class 3 Secure Server SHA256 SSL CA (e7 32 73 e5 3a cf e8 0f 41 0b 3e f4 6b 18 02 87 a0 04 40 компакт)
      • www.duluthtrading.com (6е 70 94 1А е6 39 88 9а ФА 64 КБ 76 34 АФ 62 е6 43 83 66 кф)

проблема в том, что корневой центр сертификации (универсальный корневой Центр сертификации VeriSign) не является доверенным в этой проблемной системе. Эта машина последняя через Центр обновления Windows.

Я посмотрел на другую виртуальную машину Windows 7 (которая была менее актуальной), и сертификат был там под » сторонним корнем центр сертификации.» У этой виртуальной машины было меньше сертификатов.

почему этот сертификат CA отсутствует?

как могу я исправить эта машина?


обновление: в журнале приложений Windows, я вижу следующие ошибки:

Event 4101, CAPI2
Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4.crt> with error: 12007 (0x2ee7).

Jonathon Reinhart

2015-12-09 в 01:45

Я пытаюсь зайти https://www.duluthtrading.com/и получаю ошибку ненадежного сертификата в Windows 7. Это происходит как в IE, так и в Chrome (поскольку оба используют хранилище сертификатов Windows).

Вот цепочка сертификатов:

  • VeriSign Универсальный корневой центр сертификации
    • Сервер Symantec Class 3 Secure SHA256 SSL CA (e7 32 73 e5 3a cf e8 0f 41 0b 3e f4 6b 18 02 87 a0 04 40 кд)
      • www.duluthtrading.com (6e 70 94 1a e6 39 88 9a 64 fa cb 76 34 af 62 e6 43 83 66 cf)

Проблема в том, что корневому центру сертификации (универсальному корневому центру сертификации VeriSign) не доверяют в этой проблемной системе. Эта машина обновлена ​​через Центр обновления Windows.

Я посмотрел на другую виртуальную машину Windows 7 (которая была менее обновленной), и сертификат был там, под «Сторонними корневыми центрами сертификации». Эта ВМ имела меньше сертификатов.

Почему этот сертификат CA отсутствует?

Как я могу исправить эту машину?


Обновление: в журнале приложений Windows я вижу следующие ошибки:

Event 4101, CAPI2 Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4.crt> with error: 12007 (0x2ee7). 



1 ответ на вопрос

Jonathon Reinhart

2015-12-13 в 02:47

Normally, you shouldn’t have to worry about issues like this.

When you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities. 1

See Microsoft KB 2328240: «Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server»

Cause — This error occurs because the Microsoft Certificate Trust List Publisher certificate expired. A copy of the CTL with an expired signing certificate exists in the CryptnetUrlCache folder.

There is a «Fix it for me» download available at that page, or directions for manually fixing the problem.

After applying the update, and rebooting, the next time you visit the site, your computer should automatically download the CA certificate. Restarting the browser, and re-visiting the site should be successful.

I have a Windows 7 system that I’ve just updated to Windows 10. After doing so, I found a ton of drivers wouldn’t install, and eventually traced the issue to the root certificate «Microsoft Root Certificate Authority» being revoked.

  1. Redownloading trusted root certificates from Windows update and reinstalling them. This certificate is still marked as revoked.

  2. Exporting this certificate from another working Windows 10 system (which does not list it as revoked), deleting it from this system, and re-importing it using the exported file. It still is listed as revoked.

  3. Downloading the Certificate Trust List and revoked certificate list from Windows update and importing that. Still no luck.

  4. Disabling driver signing enforcement and trying to install the drivers. The installer still fails in spite of this.

This is driving me crazy. How do I get this certificate working? My system can’t function properly without it.

Screenshot of certificate

asked Oct 13, 2022 at 13:42

Bri Bri's user avatar

Bri Bri

4 gold badges13 silver badges26 bronze badges

I found a fix for this. I had a single machine where «Microsoft Root Certificate Authority.cer» was revoked/not trusted, same as your screenshot. In my case I was trying to install a driver and that was failing with error code 800f0247.

I was able to remove the certs from the bad machine and import from a known good machine. Here are the steps:

  1. On a working machine, Export all certificates from the Trusted Root Certification Authorities store that being with «Microsoft». I saved each cert as .cer with the display name as the filename.
  2. On the problem machine, delete each Trusted Root Certification Authority cert that beings with «Microsoft».
  3. Import the certificates using powershell cmdlet Import-Certificate. I tried importing them manually and that didn’t seem to work. Not sure if it was user error or Import-Certificate is necessary. Either way, I placed all of the root certs in a folder and then ran the following powershell command to import all certs in that folder with one command: Get-ChildItem -File | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
  4. At this point the driver install I was running that was failing due to the «revoked» certificate worked. Another post I read recommended clearing CRL and OCSP cache (certutil -urlcache crl delete && certutil -urlcache ocsp delete) and restarting, but I didn’t seem to have to do that.

answered Dec 2, 2022 at 19:11

nkelnhofer's user avatar

Normally, you shouldn’t have to worry about issues like this.

When you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities. 1

See Microsoft KB 2328240: «Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server»

Cause — This error occurs because the Microsoft Certificate Trust List Publisher certificate expired. A copy of the CTL with an expired signing certificate exists in the CryptnetUrlCache folder.

There is a «Fix it for me» download available at that page, or directions for manually fixing the problem.

After applying the update, and rebooting, the next time you visit the site, your computer should automatically download the CA certificate. Restarting the browser, and re-visiting the site should be successful.

Дополнительно:  Root User in Ubuntu- Important Things You Should Know

Error Root Certificate expire

11 : 08

Error Root Certificate expire

HỌC KỸ THUẬT MÁY TÍNH ONLINE

VeriSign Universal Root Certification Authority missing

02 : 15

VeriSign Universal Root Certification Authority missing

Install a non trusted Certificate to the Trusted Root Authorities

03 : 13

Install a non trusted Certificate to the Trusted Root Authorities

How to Import Certificate in Trusted Root Certification Authorities in Windows

02 : 53

How to Import Certificate in Trusted Root Certification Authorities in Windows

How to view installed certificates in Windows 7

01 : 30

How to view installed certificates in Windows 7

Solve Autodesk self extract problem in 3 steps

05 : 49

Solve Autodesk self extract problem in 3 steps

Comments

  • I’m attempting to visit https://www.duluthtrading.com/, and I’m receiving an untrusted certificate error on Windows 7. This happens in both IE and Chrome (as both use the Windows certificate store).

    Here’s the certificate chain:

    • VeriSign Universal Root Certification Authority
      • Symantec Class 3 Secure Server SHA256 SSL CA (‎e7 32 73 e5 3a cf e8 0f 41 0b 3e f4 6b 18 02 87 a0 04 40 cd)
        • www.duluthtrading.com (‎6e 70 94 1a e6 39 88 9a 64 fa cb 76 34 af 62 e6 43 83 66 cf)

    The problem is, the Root CA (VeriSign Universal Root Certification Authority) is not trusted on this problematic system. This machine is up-to-date via Windows Update.

    I looked on another Windows 7 VM (which was less up-to-date), and the certificate was there, under «Third-Party Root Certification Authorities». This VM had fewer certificates.

    Why is this CA certificate missing?

    How can I fix this machine?


    Event 4101, CAPI2
    Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4.crt> with error: 12007 (0x2ee7).
    

    • This on a machine you have complete and total control over? The only reason it would be missing, is if somebody physically removed it, in other words is a personal machine or a machine owned by a business or corporation.

    • This is a personal machine. I have no idea how the cert got removed.

    • I am seeing the same issue (missing VeriSign Universal Root Certification Authority) on a Mac. Firefox works fine (has its own certs?), but Chrome and Safari cannot locate the root cert. Reinstalling Chrome didn’t help.

There may be times when you need to uninstall a certification authority (CA). However, clients will not be able to send requests to this CA and some applications that depend on your public key infrastructure (PKI) may not function properly after a CA that is needed to verify the validity and revocation status of a certificate has been uninstalled.

If you are permanently decommissioning the CA before its expected expiration date, then the CA certificate should be revoked from its parent CA and you should list «Cease of operation» as the reason for the revocation. If the CA is a self-signed root CA, then all of the certificates issued by the CA that have not expired should be revoked and a certificate revocation list (CRL) should be generated that lists the same reason. This will indicate that the certificates are no longer valid because the CA has been decommissioned.

Uninstalling an enterprise CA should be done properly to ensure that its CA enrollment object is removed from Active Directory Domain Services (AD DS). Failure to do so may cause Active Directory clients to continue attempts to enroll for certificates from that CA. If an enterprise CA cannot be uninstalled normally, use the Enterprise PKI snap-in to manually remove the CA objects from AD DS.

  1. Under Roles Summary, click Remove Roles to start the Remove Roles Wizard. Click Next.

  2. Clear the Active Directory Certificate Services check box, and click Next.

  3. On the Confirm Removal Options page, review the information, and then click Remove.

  4. If Internet Information Services (IIS) is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.

  5. After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.

  1. Under Roles Summary, click Active Directory Certificate Services.

  2. Under Roles Services, click Remove Role Services.

  3. Clear the Certification Authority check box, and click Next.

  4. On the Confirm Removal Options page, review the information, and then click Remove.

  5. If IIS is running and you are prompted to stop the service before proceeding with the uninstall process, click OK.

  6. After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.

If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA.

  • The CA database
  • The CA public and private keys
  • The CA’s certificates in the Personal store
  • The CA’s certificates in the shared folder, if a shared folder was specified during AD CS setup
  • The CA chain’s root certificate in the Trusted Root Certification Authorities store
  • The CA chain’s intermediate certificates in the Intermediate Certification Authorities store
  • The CA’s CRL

This information is kept on the server by default, in case you are uninstalling and then reinstalling the CA. For example, you might uninstall and reinstall the CA if you want to change a stand-alone CA to an enterprise CA.

VeriSign Universal Root Certification Authority Certificate — B677FA6948479F5312D5C2EA07327607D1970719

Subject: VeriSign Universal Root Certification Authority

Issuer: VeriSign Universal Root Certification Authority

Expiration: 2037-12-01 23:59:59 UTC

Key Identifier: B6:77:FA:69:48:47:9F:53:12:D5:C2:EA:07:32:76:07:D1:97:07:19

Download and Install

Received at FYIcenter.com on: 2016-11-15

Certificate Detailed Information:

Name:
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, I
nc. - For authorized use only/CN=VeriSign Universal Root Certification A
uthority

Subject: 
   Common Name (CN): VeriSign Universal Root Certification Authority
   Organizational Unit Name (OU): VeriSign Trust Network,
(c) 2008 VeriSign, Inc. - For authorized use only
   Organization Name (O): VeriSign, Inc.
   Locality Name (L): 
   State or Province Name (ST): 
   Country Name (C): US
   Email Address: 
Issuer: 
   Common Name (CN): VeriSign Universal Root Certification Authority
   Organizational Unit Name (OU): VeriSign Trust Network,
(c) 2008 VeriSign, Inc. - For authorized use only
   Organization Name (O): VeriSign, Inc.
   Locality Name (L): 
   State or Province Name (ST): 
   Country Name (C): US
   Email Address: 
Valid From: Wed, 02 Apr 2008 00:00:00 +0000 
Valid To: Tue, 01 Dec 2037 23:59:59 +0000 
Serial Number: 85209574734084581917763752644031726877 
Hash: c01cdfa2 
Version: 2 
Signature Type: sha256WithRSAEncryption 
Purposes:  
   SSL client 
   SSL server 
   Netscape SSL server 
   S/MIME signing 
   S/MIME encryption 
   CRL signing 
   Any Purpose 
   OCSP helper 
   Time Stamp signing 
Extensions:  
   basicConstraints:
      CA:TRUE 
   keyUsage:
      Certificate Sign, CRL Sign 
   1.3.6.1.5.5.7.1.12:
      0x305fa15da05b3059305730551609696d6167652f6769663021301f300706052b
0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e302516236874
74703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e6769
66
 
   subjectKeyIdentifier:
      B6:77:FA:69:48:47:9F:53:12:D5:C2:EA:07:32:76:07:D1:97:07:19 

Certificate in PEM Format:

-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB
vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y
IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh
bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF
9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH
H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H
LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN
/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT
rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw
WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs
exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud
DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4
sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+
seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz
4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+
BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR
lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3
7M2CYfE45k+XmCpajQ==
-----END CERTIFICATE-----

Public Key Detailed Information:

Key Details:
   Type: RSA
   Size (bits): 2048
   Modulus (n): 
c761375eb10134db62d7159bff585a8c2323d6608e91d79098837ae65819388c
c5f6e56485b4a271fbedbdb9dacd4d00b4c82d73a5c76971951f393cb244079c
e80efa4d4ac421df29618f32226182c5871f6e8c7c5f16205144d1704f57eae3
1ce3cc79ee58d80ec2b34593c02ce79a172b7b00377a413378e133e2f3101a7f
872cbef6f5f742e2e5bf8762895f004bdfc5dde4754432413a1e716e69cb0b75
4608d1cad22b95d0cffbb9406b648c574dfc13117984ed5e54f6349f0801f310
2506174adaf11d7a666b986066a4d9efd22e82f1f0ef09ea44c9156ae2036e33
d3ac9f5500c7f6086a94b95fdce033f18460f95b2711b4fc16f2bb566a80258d
   Public Exponent (e): 65537 (0x010001)

Public Key in PEM Format:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1ha
jCMj1mCOkdeQmIN65lgZOIzF9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQH
nOgO+k1KxCHfKWGPMiJhgsWHH26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCzn
mhcrewA3ekEzeOEz4vMQGn+HLL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsL
dUYI0crSK5XQz/u5QGtkjFdN/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ
79IugvHw7wnqRMkVauIDbjPTrJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAl
jQIDAQAB
-----END PUBLIC KEY-----

Identical or Similar Keys: We found that the public key in this certificate matches key(s) recorded previously.

ID      Type Size Pri/Pub Key Identifier   Date       Comparison 
2416    RSA  2048 Public  B677FA6948479... 2016-11-15 Same Key ID

@nottux

fixed with downloading http://curl.haxx.se/ca/cacert.pem and coping the cacert.pem as ca-bundle.crt to /var/cache/ca-certs/anchors and /etc/pki/tls/certs
after that /var/cache/ca-certs/anchors/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.crt files should exist. that fixed my problem

@nottux

I should reopen this issue since i closed by accident

@busykai

@nottux

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo clrtrust generate
Password: 
WARNING: file /usr/share/ca-certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/LuxTrust_Global_Root_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/COMODO_RSA_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Cybertrust_Global_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Network_Solutions_Certificate_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Premium.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/EC-ACC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_2_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Primary_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/VeriSign_Universal_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_1_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Starfield_Root_Certificate_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certum_Trusted_Network_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Starfield_Class_2_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/USERTrust_ECC_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Microsec_e-Szigno_Root_CA_2009.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/USERTrust_RSA_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/D-TRUST_Root_Class_3_CA_2_2009.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certigna.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TWCA_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ACCVRAIZ1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Assured_ID_Root_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OpenTrust_Root_CA_G1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_ECC_Root_CA_-_R4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/CFCA_EV_ROOT.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TWCA_Global_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Staat_der_Nederlanden_Root_CA_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_Root_Certification_Authority_ECC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/certSIGN_ROOT_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust_Root_Certification_Authority_-_EC1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Visa_eCommerce_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Go_Daddy_Root_Certificate_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OISTE_WISeKey_Global_Root_GA_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ComSign_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SZAFIR_ROOT_CA2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_Root_CA_-_R3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TrustCor_RootCert_CA-1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Deutsche_Telekom_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/T-TeleSec_GlobalRoot_Class_3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Camerfirma_Global_Chambersign_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OpenTrust_Root_CA_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TrustCor_ECA-1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Premium_ECC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_EV_Root_Certification_Authority_ECC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SwissSign_Gold_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certum_Trusted_Network_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_High_Assurance_EV_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AC_RAIZ_FNMT-RCM.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Taiwan_GRCA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/E-Tugra_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Assured_ID_Root_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Comodo_AAA_Services_root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/COMODO_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Actalis_Authentication_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certplus_Root_CA_G1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Global_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/thawte_Primary_Root_CA_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Chambers_of_Commerce_Root_-_2008.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Primary_Certification_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ePKI_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_3_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TC_TrustCenter_Class_3_CA_II.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Assured_ID_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Commercial.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/XRamp_Global_CA_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Secure_Global_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Sonera_Class_2_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OpenTrust_Root_CA_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AC_Raíz_Certicámara_S.A..crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TrustCor_RootCert_CA-2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DST_ACES_CA_X6.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Trustis_FPS_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Universal_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/EE_Certification_Centre_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TeliaSonera_Root_CA_v1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certplus_Root_CA_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_Root_Certification_Authority_RSA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Buypass_Class_2_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Hongkong_Post_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/IdenTrust_Public_Sector_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Global_Root_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SecureTrust_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Atos_TrustedRoot_2011.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Global_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/S-TRUST_Universal_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Starfield_Services_Root_Certificate_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/T-TeleSec_GlobalRoot_Class_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/D-TRUST_Root_CA_3_2013.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AddTrust_External_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Universal_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DST_Root_CA_X3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Camerfirma_Chambers_of_Commerce_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/CA_Disig_Root_R2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Go_Daddy_Class_2_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/thawte_Primary_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Izenpe.com.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/IdenTrust_Commercial_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ISRG_Root_X1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OISTE_WISeKey_Global_Root_GB_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AddTrust_Low-Value_Services_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SwissSign_Silver_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Global_Chambersign_Root_-_2008.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Staat_der_Nederlanden_EV_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Security_Communication_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/CA_Disig_Root_R1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust.net_Premium_2048_Secure_Server_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Swisscom_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Trusted_Root_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_ECC_Root_CA_-_R5.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Buypass_Class_3_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust_Root_Certification_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/thawte_Primary_Root_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SwissSign_Platinum_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Security_Communication_RootCA2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Baltimore_CyberTrust_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SecureSign_RootCA11.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/UTN_USERFirst_Email_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certinomis_-_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Security_Communication_EV_RootCA1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_Root_CA_-_R2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certplus_Class_2_Primary_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Global_Root_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GDCA_TrustAUTH_R5_ROOT.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/COMODO_ECC_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt is not a certificate
Trust store generated at /var/cache/ca-certs
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone --recursive https://github.com/gpac/gpac.git
Cloning into 'gpac'...
fatal: unable to access 'https://github.com/gpac/gpac.git/': SSL certificate problem: unable to get local issuer certificate

still can’t use git but can use flatpak, need to mention that i could run flatpak after manually downloading ca-bundle.crt

Дополнительно:  Ноутбук работает но не включается экран (Решение)

@busykai

after you do, please try running sudo swupd verify --fix (it should fix any deviations in your /usr/ tree) and then try generating the trust store again with sudo clrtrust generate.

@nottux

i can’t run

sudo swupd verify --fix

since i have manualy removed qt5 and other programs because of incompatible binaries, it will take my days to reinstall then remove these, and i will lose lots of my free time, i will try to find another way to fix this

@bryteise

@busykai

to see if openssl on your system is still functional. if it’s not, then that is the issue.

@nottux

when i was building another program it required openssl bu it wasn’t installed, so i installed opessl to /usr/local. installation of openssl or update and reboot after that broke it.

when i will go to home i will look to this but now i am not at my home, after 6 to 10 hours i can be at my home

@nottux

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ openssl x509 -in /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt -noout -fingerprint -sha1
SHA1 Fingerprint=29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ ls -l /usr/share/ca-certs/trusted
total 616
-rw-r--r-- 2 root root 2772 Jan 13  2017  ACCVRAIZ1.crt
-rw-r--r-- 2 root root 2281 Jan 13  2017  AC_Raíz_Certicámara_S.A..crt
-rw-r--r-- 1 root root 1972 Jan 13  2017  AC_RAIZ_FNMT-RCM.crt
-rw-r--r-- 2 root root 2049 Jan 13  2017  Actalis_Authentication_Root_CA.crt
-rw-r--r-- 2 root root 1521 Sep 14 19:49  AddTrust_External_Root.crt
-rw-r--r-- 2 root root 1480 Jan 13  2017  AddTrust_Low-Value_Services_Root.crt
-rw-r--r-- 2 root root 1204 Jan 13  2017  AffirmTrust_Commercial.crt
-rw-r--r-- 2 root root 1204 Jan 13  2017  AffirmTrust_Networking.crt
-rw-r--r-- 2 root root 1891 Jan 13  2017  AffirmTrust_Premium.crt
-rw-r--r-- 2 root root  753 Jan 13  2017  AffirmTrust_Premium_ECC.crt
-rw-r--r-- 1 root root 1188 Jan 13  2017  Amazon_Root_CA_1.crt
-rw-r--r-- 1 root root 1883 Jan 13  2017  Amazon_Root_CA_2.crt
-rw-r--r-- 1 root root  656 Jan 13  2017  Amazon_Root_CA_3.crt
-rw-r--r-- 1 root root  737 Jan 13  2017  Amazon_Root_CA_4.crt
-rw-r--r-- 2 root root 1261 Jan 13  2017  Atos_TrustedRoot_2011.crt
-rw-r--r-- 2 root root 2167 Jan 13  2017  Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
-rw-r--r-- 2 root root 1261 Jan 13  2017  Baltimore_CyberTrust_Root.crt
-rw-r--r-- 2 root root 1915 Jan 13  2017  Buypass_Class_2_Root_CA.crt
-rw-r--r-- 2 root root 1915 Jan 13  2017  Buypass_Class_3_Root_CA.crt
-rw-r--r-- 2 root root 1935 Jan 13  2017  CA_Disig_Root_R1.crt
-rw-r--r-- 2 root root 1935 Jan 13  2017  CA_Disig_Root_R2.crt
-rw-r--r-- 2 root root 1704 Jan 13  2017  Camerfirma_Chambers_of_Commerce_Root.crt
-rw-r--r-- 2 root root 1716 Jan 13  2017  Camerfirma_Global_Chambersign_Root.crt
-rw-r--r-- 2 root root 1330 Jan 13  2017  Certigna.crt
-rw-r--r-- 2 root root 1992 Jan 13  2017  Certinomis_-_Root_CA.crt
-rw-r--r-- 2 root root 1298 Jan 13  2017  Certplus_Class_2_Primary_CA.crt
-rw-r--r-- 2 root root 1939 Jan 13  2017  Certplus_Root_CA_G1.crt
-rw-r--r-- 2 root root  794 Jan 13  2017  Certplus_Root_CA_G2.crt
-rw-r--r-- 2 root root 1176 Jan 13  2017  certSIGN_ROOT_CA.crt
-rw-r--r-- 2 root root 1119 Jan 13  2017  Certum_Root_CA.crt
-rw-r--r-- 2 root root 2078 Jan 13  2017  Certum_Trusted_Network_CA_2.crt
-rw-r--r-- 2 root root 1354 Jan 13  2017  Certum_Trusted_Network_CA.crt
-rw-r--r-- 2 root root 1984 Jan 13  2017  CFCA_EV_ROOT.crt
-rw-r--r-- 2 root root 2594 Jan 13  2017  Chambers_of_Commerce_Root_-_2008.crt
-rw-r--r-- 2 root root 1517 Jan 13  2017  Comodo_AAA_Services_root.crt
-rw-r--r-- 2 root root 1489 Jan 13  2017  COMODO_Certification_Authority.crt
-rw-r--r-- 2 root root  940 Jan 13  2017  COMODO_ECC_Certification_Authority.crt
-rw-r--r-- 2 root root 2086 Jan 13  2017  COMODO_RSA_Certification_Authority.crt
-rw-r--r-- 2 root root 1302 Jan 13  2017  ComSign_CA.crt
-rw-r--r-- 2 root root 1318 Jan 13  2017  Cybertrust_Global_Root.crt
-rw-r--r-- 2 root root 1318 Jan 13  2017  Deutsche_Telekom_Root_CA_2.crt
-rw-r--r-- 2 root root 1350 Jan 13  2017  DigiCert_Assured_ID_Root_CA.crt
-rw-r--r-- 2 root root 1306 Jan 13  2017  DigiCert_Assured_ID_Root_G2.crt
-rw-r--r-- 2 root root  851 Jan 13  2017  DigiCert_Assured_ID_Root_G3.crt
-rw-r--r-- 2 root root 1338 Jan 13  2017  DigiCert_Global_Root_CA.crt
-rw-r--r-- 2 root root 1294 Jan 13  2017  DigiCert_Global_Root_G2.crt
-rw-r--r-- 2 root root  839 Oct 25 01:59  DigiCert_Global_Root_G3.crt
-rw-r--r-- 2 root root 1367 Sep 14 19:49  DigiCert_High_Assurance_EV_Root_CA.crt
-rw-r--r-- 2 root root 1988 Jan 13  2017  DigiCert_Trusted_Root_G4.crt
-rw-r--r-- 2 root root 1460 Jan 13  2017  DST_ACES_CA_X6.crt
-rw-r--r-- 2 root root 1200 Jan 13  2017  DST_Root_CA_X3.crt
-rw-r--r-- 1 root root 1468 Jan 13  2017  D-TRUST_Root_CA_3_2013.crt
-rw-r--r-- 2 root root 1517 Jan 13  2017  D-TRUST_Root_Class_3_CA_2_2009.crt
-rw-r--r-- 2 root root 1537 Jan 13  2017  D-TRUST_Root_Class_3_CA_2_EV_2009.crt
-rw-r--r-- 2 root root 1911 Jan 13  2017  EC-ACC.crt
-rw-r--r-- 2 root root 1452 Jan 13  2017  EE_Certification_Centre_Root_CA.crt
-rw-r--r-- 2 root root 1505 Jan 13  2017  Entrust.net_Premium_2048_Secure_Server_CA.crt
-rw-r--r-- 2 root root 1643 Jan 13  2017  Entrust_Root_Certification_Authority.crt
-rw-r--r-- 2 root root 1090 Jan 13  2017  Entrust_Root_Certification_Authority_-_EC1.crt
-rw-r--r-- 2 root root 1533 Jan 13  2017  Entrust_Root_Certification_Authority_-_G2.crt
-rw-r--r-- 2 root root 2033 Jan 13  2017  ePKI_Root_Certification_Authority.crt
-rw-r--r-- 2 root root 2244 Jan 13  2017  E-Tugra_Certification_Authority.crt
-rw-r--r-- 1 root root 1980 Jan 13  2017  GDCA_TrustAUTH_R5_ROOT.crt
-rw-r--r-- 2 root root 1216 Jan 13  2017  GeoTrust_Global_CA.crt
-rw-r--r-- 2 root root 1269 Jan 13  2017  GeoTrust_Primary_Certification_Authority.crt
-rw-r--r-- 2 root root  989 Jan 13  2017  GeoTrust_Primary_Certification_Authority_-_G2.crt
-rw-r--r-- 2 root root 1444 Jan 13  2017  GeoTrust_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1939 Jan 13  2017  GeoTrust_Universal_CA_2.crt
-rw-r--r-- 2 root root 1935 Jan 13  2017  GeoTrust_Universal_CA.crt
-rw-r--r-- 2 root root 2585 Jan 13  2017  Global_Chambersign_Root_-_2008.crt
-rw-r--r-- 2 root root  713 Jan 13  2017  GlobalSign_ECC_Root_CA_-_R4.crt
-rw-r--r-- 2 root root  794 Jan 13  2017  GlobalSign_ECC_Root_CA_-_R5.crt
-rw-r--r-- 2 root root 1261 Sep 14 19:49  GlobalSign_Root_CA.crt
-rw-r--r-- 2 root root 1354 Jan 13  2017  GlobalSign_Root_CA_-_R2.crt
-rw-r--r-- 2 root root 1229 Jan 13  2017  GlobalSign_Root_CA_-_R3.crt
-rw-r--r-- 2 root root 1448 Jan 13  2017  Go_Daddy_Class_2_CA.crt
-rw-r--r-- 2 root root 1367 Jan 13  2017  Go_Daddy_Root_Certificate_Authority_-_G2.crt
-rw-r--r-- 2 root root 1017 Jan 13  2017  Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
-rw-r--r-- 2 root root 1513 Jan 13  2017  Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
-rw-r--r-- 2 root root 2155 Jan 13  2017  Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
-rw-r--r-- 2 root root 1168 Jan 13  2017  Hongkong_Post_Root_CA_1.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  IdenTrust_Commercial_Root_CA_1.crt
-rw-r--r-- 2 root root 1931 Jan 13  2017  IdenTrust_Public_Sector_Root_CA_1.crt
-rw-r--r-- 2 root root 1939 Jan 13  2017  ISRG_Root_X1.crt
-rw-r--r-- 2 root root 2122 Jan 13  2017  Izenpe.com.crt
-rw-r--r-- 1 root root 2057 Jan 13  2017  LuxTrust_Global_Root_2.crt
-rw-r--r-- 2 root root 1460 Jan 13  2017  Microsec_e-Szigno_Root_CA_2009.crt
-rw-r--r-- 2 root root 1476 Jan 13  2017 'NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt'
-rw-r--r-- 2 root root 1411 Jan 13  2017  Network_Solutions_Certificate_Authority.crt
-rw-r--r-- 2 root root 1428 Jan 13  2017  OISTE_WISeKey_Global_Root_GA_CA.crt
-rw-r--r-- 2 root root 1346 Jan 13  2017  OISTE_WISeKey_Global_Root_GB_CA.crt
-rw-r--r-- 2 root root 1944 Jan 13  2017  OpenTrust_Root_CA_G1.crt
-rw-r--r-- 2 root root 1944 Jan 13  2017  OpenTrust_Root_CA_G2.crt
-rw-r--r-- 2 root root  798 Jan 13  2017  OpenTrust_Root_CA_G3.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  QuoVadis_Root_CA_1_G3.crt
-rw-r--r-- 2 root root 2041 Jan 13  2017  QuoVadis_Root_CA_2.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  QuoVadis_Root_CA_2_G3.crt
-rw-r--r-- 2 root root 2354 Jan 13  2017  QuoVadis_Root_CA_3.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  QuoVadis_Root_CA_3_G3.crt
-rw-r--r-- 2 root root 2078 Jan 13  2017  QuoVadis_Root_CA.crt
-rw-r--r-- 2 root root 1354 Jan 13  2017  Secure_Global_CA.crt
-rw-r--r-- 2 root root 1249 Jan 13  2017  SecureSign_RootCA11.crt
-rw-r--r-- 2 root root 1350 Jan 13  2017  SecureTrust_CA.crt
-rw-r--r-- 2 root root 1269 Jan 13  2017  Security_Communication_EV_RootCA1.crt
-rw-r--r-- 2 root root 1261 Jan 13  2017  Security_Communication_RootCA2.crt
-rw-r--r-- 2 root root 1224 Jan 13  2017  Security_Communication_Root_CA.crt
-rw-r--r-- 2 root root 1143 Jan 13  2017  Sonera_Class_2_Root_CA.crt
-rw-r--r-- 1 root root  956 Jan 13  2017  SSL.com_EV_Root_Certification_Authority_ECC.crt
-rw-r--r-- 1 root root 2114 Jan 13  2017  SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
-rw-r--r-- 1 root root  944 Jan 13  2017  SSL.com_Root_Certification_Authority_ECC.crt
-rw-r--r-- 1 root root 2094 Jan 13  2017  SSL.com_Root_Certification_Authority_RSA.crt
-rw-r--r-- 2 root root 1948 Jan 13  2017  Staat_der_Nederlanden_EV_Root_CA.crt
-rw-r--r-- 2 root root 2069 Jan 13  2017  Staat_der_Nederlanden_Root_CA_-_G2.crt
-rw-r--r-- 2 root root 1952 Jan 13  2017  Staat_der_Nederlanden_Root_CA_-_G3.crt
-rw-r--r-- 2 root root 1468 Jan 13  2017  Starfield_Class_2_CA.crt
-rw-r--r-- 2 root root 1399 Jan 13  2017  Starfield_Root_Certificate_Authority_-_G2.crt
-rw-r--r-- 2 root root 1424 Jan 13  2017  Starfield_Services_Root_Certificate_Authority_-_G2.crt
-rw-r--r-- 2 root root 1395 Jan 13  2017  S-TRUST_Universal_Root_CA.crt
-rw-r--r-- 2 root root 2090 Jan 13  2017  Swisscom_Root_CA_2.crt
-rw-r--r-- 2 root root 2045 Jan 13  2017  SwissSign_Gold_CA_-_G2.crt
-rw-r--r-- 2 root root 2057 Jan 13  2017  SwissSign_Platinum_CA_-_G2.crt
-rw-r--r-- 2 root root 2049 Jan 13  2017  SwissSign_Silver_CA_-_G2.crt
-rw-r--r-- 1 root root  981 Jan 13  2017  Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.crt
-rw-r--r-- 1 root root 1436 Jan 13  2017  Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.crt
-rw-r--r-- 1 root root  981 Jan 13  2017  Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.crt
-rw-r--r-- 1 root root 1436 Jan 13  2017  Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.crt
-rw-r--r-- 2 root root 1257 Jan 13  2017  SZAFIR_ROOT_CA2.crt
-rw-r--r-- 2 root root 1948 Jan 13  2017  Taiwan_GRCA.crt
-rw-r--r-- 2 root root 1679 Jan 13  2017  TC_TrustCenter_Class_3_CA_II.crt
-rw-r--r-- 2 root root 1870 Jan 13  2017  TeliaSonera_Root_CA_v1.crt
-rw-r--r-- 2 root root 1493 Jan 13  2017  thawte_Primary_Root_CA.crt
-rw-r--r-- 2 root root  940 Jan 13  2017  thawte_Primary_Root_CA_-_G2.crt
-rw-r--r-- 2 root root 1505 Jan 13  2017  thawte_Primary_Root_CA_-_G3.crt
-rw-r--r-- 1 root root 1493 Jan 13  2017  TrustCor_ECA-1.crt
-rw-r--r-- 1 root root 1513 Jan 13  2017  TrustCor_RootCert_CA-1.crt
-rw-r--r-- 1 root root 2204 Jan 13  2017  TrustCor_RootCert_CA-2.crt
-rw-r--r-- 2 root root 1241 Jan 13  2017  Trustis_FPS_Root_CA.crt
-rw-r--r-- 2 root root 1367 Jan 13  2017  T-TeleSec_GlobalRoot_Class_2.crt
-rw-r--r-- 2 root root 1367 Jan 13  2017  T-TeleSec_GlobalRoot_Class_3.crt
-rw-r--r-- 1 root root 1582 Jan 13  2017  TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
-rw-r--r-- 2 root root 1501 Jan 13  2017  TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
-rw-r--r-- 2 root root 1883 Jan 13  2017  TWCA_Global_Root_CA.crt
-rw-r--r-- 2 root root 1269 Jan 13  2017  TWCA_Root_Certification_Authority.crt
-rw-r--r-- 2 root root  948 Jan 13  2017  USERTrust_ECC_Certification_Authority.crt
-rw-r--r-- 2 root root 2094 Jan 13  2017  USERTrust_RSA_Certification_Authority.crt
-rw-r--r-- 2 root root 1667 Jan 13  2017  UTN_USERFirst_Email_Root_CA.crt
-rw-r--r-- 2 root root 1484 Jan 13  2017  Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1480 Jan 13  2017  Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1484 Jan 13  2017  Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1281 Jan 13  2017  VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
-rw-r--r-- 2 root root 1732 Jan 13  2017  VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
-rw-r--r-- 2 root root 1700 Jan 13  2017  VeriSign_Universal_Root_Certification_Authority.crt
-rw-r--r-- 2 root root 1322 Jan 13  2017  Visa_eCommerce_Root.crt
-rw-r--r-- 2 root root 1513 Jan 13  2017  XRamp_Global_CA_Root.crt
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone https://www.github.com
Cloning into 'www.github.com'...
fatal: unable to access 'https://www.github.com/': SSL certificate problem: unable to get local issuer certificate

Then i did run the command you give

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo rm -rf /var/cache/ca-certs; sudo cp -r /usr/share/ca-certs/.prebuilt-store /var/cache/ca-certs

Now github works:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone https://www.github.com
Cloning into 'www.github.com'...
remote: Not Found
fatal: repository 'https://www.github.com/' not found

Thanks for the help

Дополнительно:  Создание синего экрана для масштабной сцены

@nottux

Issue still there after swupd update, certificates broken again:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo swupd update
swupd-client software update 3.14.3
   Copyright (C) 2012-2017 Intel Corporation

Update started.
Attempting to download version string to memory
Preparing to update from 20310 to 20320
Downloading packs...

Extracting os-core pack for version 20320
	...100%

Statistics for going from version 20310 to version 20320:

    changed bundles   : 1
    new bundles       : 0
    deleted bundles   : 0

    changed files     : 3
    new files         : 0
    deleted files     : 0

Starting download of remaining update content. This may take a while...
	...100%
Finishing download of update content...
Staging file content
Applying update
	...100%
Update was applied.
Calling post-update helper scripts.
Update took 14.8 seconds
Update successful. System updated from version 20310 to version 20320
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo flatpak update
Looking for updates...
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
^C
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone https://www.github.com
Cloning into 'www.github.com'...
fatal: unable to access 'https://www.github.com/': SSL certificate problem: unable to get local issuer certificate

I don’t know if flatpak or swupd broke but i didn’t installed anything or modified files under root directory since 4-5 days before issue started.

@nottux

i am not applying the fix right now for possible debugging

@nottux

I have applied the fix again now it works again

@busykai

i’d be happy to debug and fix the root cause of the issue for you. let me know if you have some time to debug and run some commands which would help to understand what the problem is:

  1. which openssl is used:

command -v openssl

  1. if openssl returns expected exit code:
  1. finally, please run clrtrust in the following fashion:

sudo /usr/bin/bash -x /usr/bin/clrtrust generate >/tmp/clrtrust_out 2>&1

the output will be quite verbose, so please attach resulting file /tmp/clrtrust_out to the post (as opposed to pasting it in).

@nottux

After updates i could find a openssl copy in /usr/bin, so i have removed the /usr/local/bin copy and linked this one on to it:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ command -v openssl
/usr/local/bin/openssl
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo mv /usr/local/bin/openssl /usr/local/bin/openssl.old
Password: 
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo ln -s /usr/bin/openssl /usr/local/bin/openssl

Then i have runned the code:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ openssl x509 -in /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt -noout -fingerprint -sha1; echo $?
SHA1 Fingerprint=29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
0
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo /usr/bin/bash -x /usr/bin/clrtrust generate >/tmp/clrtrust_out 2>&1

@nottux

I have updated and rebooted but flatpak still works, i am not having this issue anymore

@busykai

Glad it worked. It does seem that your store is being generated properly now. The issue seems to be that under sudo, clrtrust could not find a functional version of openssl. I have filed a couple of issues (clearlinux/clrtrust#10 and clearlinux/clrtrust#11) against clrtrust to handle such situations better. Thank you! Please close the issue if you no longer have it.

2012-01-24 10

acidic
Member

Re: [SOLVED] Citrix client GlobalSign Root CA

This is the output.

2012-01-23 21

twelveeighty
Member
From: Alberta, Canada

Re: [SOLVED] Citrix client GlobalSign Root CA

Download DigiCert root and intermediate certificates

DigiCert root certificates are widely trusted and used for issuing TLS Certificates to DigiCert customers—including educational, financial institutions, and government entities worldwide.

Note: Are you looking for DigiCert community root and intermediate certificates? Then see DigiCert Community Root and Authority Certificates.

DigiCert Customers: If you are looking for your certificate’s intermediate root, please download it from inside your DigiCert account or contact your account manager or DigiCert Support.

DigiCert strongly recommends including each of these roots in all applications and hardware that support X.509 certificate functionality, including Internet browsers, email clients, VPN clients, mobile devices, operating systems, etc.

DigiCert discloses all of its public root and intermediate certificates on Common CA Database.

* Root Certificates
* Intermediate Certificates
* Cross Signed Certificates

* G5 root certificates
* Other root certificates

G5 root certificates

Other root certificates

How do I know if my drive packages will be affected by a cross-signed certificate expiring?

If your certificate chain ends in Microsoft Code Verification Root, your drive package is affected.

To view the cross-signed certificate chain, run signtool verify  /v /kp <mydriver.sys>

Intermediate certificates

Below are links to DigiCert intermediate certificates. To download a certificate, right-click the download link and choose the Save to file or Save link as option.

* G5 intermediate certificates
* Other intermediate certificates

G5 intermediate certificates

Other intermediate certificates

How does this affect my existing kernel-mode code signing certificate?

  • To sign non-driver code until it expires. 
  • To sign kernel-mode driver packages until the cross-signed certificate it’s chained to expires.*

2012-01-24 12

acidic
Member

Re: [SOLVED] Citrix client GlobalSign Root CA

I got this sorted. Firefox was not using the wfica from /usr/lib32/ICAClient/ but a different one I have on my system somewhere.

2012-01-24 04

twelveeighty
Member
From: Alberta, Canada

Re: [SOLVED] Citrix client GlobalSign Root CA

What is the output of:

ls -l  /usr/lib32/ICAClient/keystore/cacerts/

How does this affect my kernel-mode driver package signatures?

  • If you sign and timestamp the kernel-mode code driver package before the cross-signed certificate it’s chained to expires, your signature will continue to work after the cross-signed certificate expires!
  • If you only sign the kernel-mode code driver package before the cross-signed certificate it’s chained to expires, your signature will become invalid when the cross-signed certificate it’s chained to expires.

For information about when the DigiCert branded cross-signed certificates expire, see the Expiration dates of DigiCert brand trusted cross-signed certificates section below.

2012-01-23 19

acidic
Member

[SOLVED] Citrix client GlobalSign Root CA

I have just installed Citrix Client but am getting the error message «You have not chosen to trust GLobalSign Root CA, the issuer of the server’s sercurity certificate (SSL error 61).»  I have copied the mozilla certificates too /usr/lib32/ICAClient/keystore/cacerts/

Does anyone know if this is the right place? Or is there something else that could be wrong?

Last edited by acidic (2012-01-24 12:14:27)

What is DigiCert doing about this?

As a first step in this sunsetting process, DigiCert has removed the Microsoft Kernel-Mode Code platform option from Code Signing certificate request forms: new, reissue, and renew.

This means going forward, you can no longer order, reissue, or renew a code signing certificate for the kernel-mode platform.

99% Compatibility

DigiCert root certificates are among the most widely-trusted authority certificates in the world. As such, they are automatically recognized by all common web browsers, mobile devices, and mail clients.

Additional Information

DigiCert strongly recommends including each of these roots in all applications and hardware that support X.509 certificate functionality, including Internet browsers, email clients, VPN clients, mobile devices, operating systems, etc.

2012-01-23 21

acidic
Member

Re: [SOLVED] Citrix client GlobalSign Root CA

The file permissions say that they are read only

2012-01-23 21

acidic
Member

Re: [SOLVED] Citrix client GlobalSign Root CA

Its the citrix client.

I had this working a few weeks ago and did not have any problems

Expiration dates of DigiCert brand trusted cross-signed root certificates

  • DigiCert Assured ID Root CA — Expires 4/15/2021
  • DigiCert High Assurance EV Root CA — Expires 4/15/2021
  • DigiCert Global Root CA — Expires 4/15/2021
  • GeoTrust Primary Certification Authority — Expires 2/22/2021
  • GeoTrust Primary Certification Authority — G3 — Expires 2/22/2021
  • Thawte Primary Root CA — Expires 2/22/2021
  • Thawte Primary Root CA — G3 — Expires 2/22/2021
  • VeriSign Class 3 Public Primary Certification Authority — G5 — Expires 2/22/2021
  • VeriSign Universal Root Certification Authority — Expires 2/22/2021

Похожие вопросы

  • Windows 7 Home Premium запоминает пароли общего доступа к сети?


  • Как заблокировать выровненные по правому краю панели инструментов в Windows 7, чтобы они не выглядел…


  • Функция Windows 7 «Aero Snap» в Ubuntu GNOME


  • Мой второй жесткий диск не виден в Windows 7


  • Как заменить Блокнот в Windows 7?


  • Как расположить значки панели задач Windows 7 в 2 ряда?


  • Проблемы во время сна на Windows 7


  • Как управлять функцией привязки Windows 7 с помощью двух мониторов?


  • Как мне обновить Windows 7 RC до Windows 7 RTM?


  • Какая защита от шпионского ПО доступна для Windows 7?


Cross signed certificates

* G5 cross signed roots
* Other cross signed roots

G5 cross signed root certificates

Other cross signed root certificates

DigiCert is the sole operator of all intermediates and root certificates issued.
Each publicly trusted intermediate and root certificate is operated under the
most current version of the DigiCert CPS and audited under DigiCert’s
current Webtrust audit.

2012-01-23 20

twelveeighty
Member
From: Alberta, Canada

Re: [SOLVED] Citrix client GlobalSign Root CA

Is it the browser that shows that error, or is it the citrix client that complains?

Оцените статью
Master Hi-technology
Добавить комментарий