Entrust
From Leo's Notes
Last edited on 1 August 2024, at 21:49.
Entrust is a certificate authority.
Troubleshooting
The Entrust Root Certification Authority (G2) doesn't appear to be part of the system root CA. As a result, if you try to wget
or curl
to a resource using certificates signed by Entrust, you'll get an error like the one below.
# wget -O - https://somewhere.ucalgary.ca/
--2022-03-29 16:58:39-- https://somewhere.ucalgary.ca/
Resolving somewhere.ucalgary.ca (somewhere.ucalgary.ca)... 10.43.144.134
Connecting to somewhere.ucalgary.ca (somewhere.ucalgary.ca)|10.43.144.134|:443... connected.
ERROR: cannot verify somewhere.ucalgary.ca's certificate, issued by ‘CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\\, Inc.,C=US’:
Unable to locally verify the issuer's authority.
To connect to somewhere.ucalgary.ca insecurely, use `--no-check-certificate'.
To fix this, you'll need to install the root and chain certificates that are provided by Entrust at https://www.entrust.com/resources/certificate-solutions/tools/root-certificate-downloads.
Installing certificates
On RHEL based systems:
# wget https://web.entrust.com/root-certificates/entrust_l1k.cer -O /usr/share/pki/ca-trust-source/anchors/entrust_l1k.cer
# wget https://web.entrust.com/root-certificates/entrust_g2_ca.cer -O /usr/share/pki/ca-trust-source/anchors/entrust_g2_ca.cer
# wget https://web.entrust.com/root-certificates/entrust_l1m_sha2.cer -O /usr/share/pki/ca-trust-source/anchors/entrust_l1m_sha2.cer
# update-ca-trust extract
On Ubuntu:
# wget https://web.entrust.com/root-certificates/entrust_l1k.cer -O /usr/share/ca-certificates/entrust_l1k.cer
# wget https://web.entrust.com/root-certificates/entrust_g2_ca.cer -O /usr/share/ca-certificates/entrust_g2_ca.cer
# wget https://web.entrust.com/root-certificates/entrust_l1m_sha2.cer -O /usr/share/ca-certificates/entrust_l1m_sha2.cer
# update-ca-certificates
On Debian:
# mkdir -p /usr/local/share/ca-certificates
# cd /usr/local/share/ca-certificates
# curl https://web.entrust.com/root-certificates/entrust_l1k.cer > entrust_l1k.cer
# curl https://web.entrust.com/root-certificates/entrust_g2_ca.cer > entrust_g2_ca.cer
# curl https://web.entrust.com/root-certificates/entrust_l1m_sha2.cer > entrust_l1m_sha2.cer
# for i in *cer; do openssl x509 -inform PEM -in $i -outform PEM -out ${i%.cer}.crt ; done
# update-ca-certificates