Entrust is a certificate authority.

Troubleshooting[edit | edit source]

The Entrust Root Certification Authority (G2) doesn't appear to be part of the system root CA. As a result, if you try to wget or curl to a resource using certificates signed by Entrust, you'll get an error like the one below.

# wget -O - https://somewhere.ucalgary.ca/
--2022-03-29 16:58:39--  https://somewhere.ucalgary.ca/
Resolving somewhere.ucalgary.ca (somewhere.ucalgary.ca)... 10.43.144.134
Connecting to somewhere.ucalgary.ca (somewhere.ucalgary.ca)|10.43.144.134|:443... connected.
ERROR: cannot verify somewhere.ucalgary.ca's certificate, issued by ‘CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\\, Inc.,C=US’:
  Unable to locally verify the issuer's authority.
To connect to somewhere.ucalgary.ca insecurely, use `--no-check-certificate'.

To fix this, you'll need to install the root and chain certificates that are provided by Entrust at https://www.entrust.com/resources/certificate-solutions/tools/root-certificate-downloads.

Installing certificates[edit | edit source]

On RHEL based systems:

# wget https://web.entrust.com/root-certificates/entrust_l1k.cer -O /usr/share/pki/ca-trust-source/anchors/entrust_l1k.cer
# wget https://web.entrust.com/root-certificates/entrust_g2_ca.cer -O /usr/share/pki/ca-trust-source/anchors/entrust_g2_ca.cer
# update-ca-trust extract

On Ubuntu:

# wget https://web.entrust.com/root-certificates/entrust_l1k.cer   -O /usr/share/ca-certificates/entrust_l1k.cer
# wget https://web.entrust.com/root-certificates/entrust_g2_ca.cer -O /usr/share/ca-certificates/entrust_g2_ca.cer
# update-ca-certificates