photon icon indicating copy to clipboard operation
photon copied to clipboard
verified publisher icon vmware

Update ca-bundle.crt manually?

Open jriker1 opened this issue 5 months ago • 4 comments

Describe the bug

I am having an issue where my company is generating new Entrust certs and they fail on all our linux boxes. Only way to fix it is to upgrade the system to the latest release of certain software packages. In this case we are talking about a VMWare appliance running Photon OS. Don't want to go thru what I would have to in my company to update this. I assume I need to add these root certs to the ca-bundle.crt file but rather not do this manually as our cert guy has been playing with multiple root certs and want to add them all. I an going to assume current versions of Photon have an updated ca-bundle.crt file and I could just replace mine with that one. How would I get that updated file assuming this makes sense.

Reproduction steps

...

Expected behavior

test

Additional context

test

jriker1 avatar Jul 14 '25 13:07 jriker1

Hi,

Commercial VMware appliances running Photon OS are updated as Broadcom products; external modifications are not allowed. For Entrust-related support, log in at https://support.broadcom.com/, select "VMware Cloud Foundation" in the product menu, then click 'My Cases' on the left to open a support request. VMware appliances with Photon OS come with a warranty.

There was a browser distrust in 2024 - NEW public TLS/SSL certificates issued by Entrust after specific dates are no longer trusted. See recommendations for users in the following shared Grok3 prompt, especially 'Migrate to a new CA'.

Hence, if you've updated the VMware appliance and new Entrust certificates fail, this is expected behavior.

Here is some useful information about Open-Source Photon OS. Existing certificates e.g. in Ph5 are:

File: /etc/ssl/certs/02265526.pem
Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
Not Before: Jul  7 17:25:54 2009 GMT
Not After: Dec  7 17:55:54 2030 GMT
----------------------------------------
File: /etc/ssl/certs/106f3e4d.pem
Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - EC1
Not Before: Dec 18 15:25:36 2012 GMT
Not After: Dec 18 15:55:36 2037 GMT
----------------------------------------
File: /etc/ssl/certs/5e98733a.pem
Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4
Not Before: May 27 11:11:16 2015 GMT
Not After: Dec 27 11:41:16 2037 GMT
----------------------------------------
File: /etc/ssl/certs/6b99d060.pem
Issuer: C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority
Not Before: Nov 27 20:23:42 2006 GMT
Not After: Nov 27 20:53:42 2026 GMT
----------------------------------------
File: /etc/ssl/certs/aee5f10d.pem
Issuer: O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
Not Before: Dec 24 17:50:51 1999 GMT
Not After: Jul 24 14:15:12 2029 GMT
----------------------------------------

These certificates are still valid because they are not created after 2024.

To list Entrust certificates, you could use this Grok3 generated script check_entrust_certs.sh.

dcasota avatar Jul 15 '25 07:07 dcasota

Thanks. OK I have a self installed copy of Photon OS now and same thing. Are you saying any Entrust cert that gets generated now will NEVER be trusted? I assumed I needed to install the three root certs a the bottom of this page somewhere:

https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates

jriker1 avatar Jul 15 '25 12:07 jriker1

I'm not familiar with the Sectigo support for Entrust, but accordingly to your weblink, Sectigo provides a cross signed root certificate for Entrust issuing CAs. Hence, 'NEVER be trusted' is not the case. It is trusted IF that cross signed root certificate and the Sectigo CA certificates are in the CA bundle.

In the OPEN-SOURCE (<-> commercial!) repository e.g. for Ph5 x86_64 you find the available certs packages.

  1. The latest CA package ca-certificates-pki-20230315-6.ph5.x86_64.rpm is from 2024. It does not contain that cross signed root certificate for Entrust issuing CAs and the Sectigo CA certificates. Hence, they must be added.
  2. The latest certs package ca-certificates-20230315-6.ph5.x86_64.rpm is from 2024. Hence, those new Entrust certs, you've mentioned, must be added.

Update ca-bundle.crt manually

Here a script how to update ca-bundle.crt manually. It contains a step by step description which might help. DO NOT USE in Production! USE IT IN A SEPARATED TEST ENVIRONMENT.

# Step 1
# Download the Cross Signed Root Certificate and Root Certificates. Let's say you've stored the certs in /tmp.
# /tmp/SectigoPublic-SA-R46xUSERTrustRSA.crt
# /tmp/'SHA-2 Root  USERTrust RSA Certification Authority.crt'
# /tmp/AAACertificateServices.crt
# /tmp/'Sectigo Public Server Authentication Root R46.crt'

# Ensure that the certificates you want to add are in PEM format
# Actually they already are in .pem format despite of the .crt ending
# If this wouldn't be the case, create the PEM format e.g. with openssl x509 -inform der -in AAACertificateServices.crt -out AAACertificateServices.pem
cd /tmp
cp AAACertificateServices.crt AAACertificateServices.pem
cp 'SHA-2 Root  USERTrust RSA Certification Authority.crt' 'SHA-2 Root  USERTrust RSA Certification Authority.pem'
cp SectigoPublic-SA-R46xUSERTrustRSA.crt SectigoPublic-SA-R46xUSERTrustRSA.crt
cp 'Sectigo Public Server Authentication Root R46.crt' 'Sectigo Public Server Authentication Root R46.pem'

# Backup the Existing CA Bundle
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak

# Append the Certificates to ca-bundle.crt
cat AAACertificateServices.pem >> /etc/pki/tls/certs/ca-bundle.crt
cat SectigoPublic-SA-R46xUSERTrustRSA.pem >> /etc/pki/tls/certs/ca-bundle.crt
cat 'Sectigo Public Server Authentication Root R46.pem' >> /etc/pki/tls/certs/ca-bundle.crt
cat 'SHA-2 Root  USERTrust RSA Certification Authority.pem' >> /etc/pki/tls/certs/ca-bundle.crt

# Verify the CA Bundle
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs

# Update the bundle
tdnf install -y openssl-c_rehash
rehash_ca_certificates.sh

# TODO Step 2
#             - Add new Entrust certs.
#             - Run your Entrust-related tests.
#             - Run badass tests. 
#                   - remove/reinstall/downgrade ca-certificates-20230315-6, ca-certificates-20230315-6
#                   - remove openssl-c_rehash
#                   - ...

dcasota avatar Jul 15 '25 13:07 dcasota

@jriker1 did you solve the issue? just curious about the findings.

dcasota avatar Jul 18 '25 21:07 dcasota