"Entrust Root Certification Authority - G2" is not trusted #358
Description
We set up a git server using Bonobo, and got a real cert (not self signed) from Entrust, for https://git.opusinspection.com/. Despite two Entrust certificates already present in /bin/curl-ca-bundle.crt, curl wasn't accepting our certificate. We checked the cert chain on sslshopper, everything seemed to be in order. I installed Git-1.9.5-preview20150319.exe because my Git was an older version. Still wasn't working.
Here is the cert (used openssl in cygwin to convert it to pem format):
~/Desktop$ openssl x509 -in EntrustRootCertificationAuthority-G2.pem -inform pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1246989352 (0x4a538c28)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c ) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Au thority - G2
Validity
Not Before: Jul 7 17:25:54 2009 GMT
Not After : Dec 7 17:55:54 2030 GMT
Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=( c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification A uthority - G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7:
76:ea:32:b8:95:41:1a:c9:da:61:4e:58:72:cf:fe:
f6:82:79:bf:73:61:06:0a:a5:27:d8:b3:5f:d3:45:
4e:1c:72:d6:4e:32:f2:72:8a:0f:f7:83:19:d0:6a:
80:80:00:45:1e:b0:c7:e7:9a:bf:12:57:27:1c:a3:
68:2f:0a:87:bd:6a:6b:0e:5e:65:f3:1c:77:d5:d4:
85:8d:70:21:b4:b3:32:e7:8b:a2:d5:86:39:02:b1:
b8:d2:47:ce:e4:c9:49:c4:3b:a7:de:fb:54:7d:57:
be:f0:e8:6e:c2:79:b2:3a:0b:55:e2:50:98:16:32:
13:5c:2f:78:56:c1:c2:94:b3:f2:5a:e4:27:9a:9f:
24:d7:c6:ec:d0:9b:25:82:e3:cc:c2:c4:45:c5:8c:
97:7a:06:6b:2a:11:9f:a9:0a:6e:48:3b:6f:db:d4:
11:19:42:f7:8f:07:bf:f5:53:5f:9c:3e:f4:17:2c:
e6:69:ac:4e:32:4c:62:77:ea:b7:e8:e5:bb:34:bc:
19:8b:ae:9c:51:e7:b7:7e:b5:53:b1:33:22:e5:6d:
cf:70:3c:1a:fa:e2:9b:67:b6:83:f4:8d:a5:af:62:
4c:4d:e0:58:ac:64:34:12:03:f8:b6:8d:94:63:24:
a4:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB
Signature Algorithm: sha256WithRSAEncryption
79:9f:1d:96:c6:b6:79:3f:22:8d:87:d3:87:03:04:60:6a:6b:
9a:2e:59:89:73:11:ac:43:d1:f5:13:ff:8d:39:2b:c0:f2:bd:
4f:70:8c:a9:2f:ea:17:c4:0b:54:9e:d4:1b:96:98:33:3c:a8:
ad:62:a2:00:76:ab:59:69:6e:06:1d:7e:c4:b9:44:8d:98:af:
12:d4:61:db:0a:19:46:47:f3:eb:f7:63:c1:40:05:40:a5:d2:
b7:f4:b5:9a:36:bf:a9:88:76:88:04:55:04:2b:9c:87:7f:1a:
37:3c:7e:2d:a5:1a:d8:d4:89:5e:ca:bd:ac:3d:6c:d8:6d:af:
d5:f3:76:0f:cd:3b:88:38:22:9d:6c:93:9a:c4:3d:bf:82:1b:
65:3f:a6:0f:5d:aa:fc:e5:b2:15:ca:b5:ad:c6:bc:3d:d0:84:
e8:ea:06:72:b0:4d:39:32:78:bf:3e:11:9c:0b:a4:9d:9a:21:
f3:f0:9b:0b:30:78:db:c1:dc:87:43:fe:bc:63:9a:ca:c5:c2:
1c:c9:c7:8d:ff:3b:12:58:08:e6:b6:3d:ec:7a:2c:4e:fb:83:
96:ce:0c:3c:69:87:54:73:a4:73:c2:93:ff:51:10:ac:15:54:
01:d8:fc:05:b1:89:a1:7f:74:83:9a:49:d7:dc:4e:7b:8a:48:
6f:8b:45:f6
Using cygwin, I appended the following to curl-ca-bundle.crt, copied it to /bin, and instantly curl (and git) started working:
Entrust Root Certification Authority - G2
=========================================
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
