Bug 727783

Summary: VeriSign Class 3 Public Primary Certification Authority not trusted
Product: [Fedora] Fedora Reporter: David Juran <djuran>
Component: ca-certificatesAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: ahughes, dbhole, jon.vanalten, jorton, jvanek, lkundrak, mjw, mmatejov, omajid, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-04 15:26:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Juran 2011-08-03 08:44:25 UTC
Description of problem:
There seems to be applets out there (e.g. the WebEx meeting) that is signed with the VeriSign Class 3 Public Primary Certification Authority but openjdk does not recognise this as a trusted CA. Is this intentional?


Version-Release number of selected component (if applicable):
java-1.6.0-openjdk-1.6.0.0-59.1.10.3.fc15

How reproducible:
Every time

Steps to Reproduce:
1. firefox http://www.webex.com/lp/jointest/?elq=809f7a3332a347a0a231ef24c8b40d9c
2. Try to join the meeting
3. Watch the warning

Comment 1 David Juran 2011-08-03 08:59:30 UTC
Seems the JVM gets it's certs from /etc/pki/java/cacerts

Comment 2 David Juran 2011-08-03 09:09:57 UTC
Some more details on the missing cert:

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Validity: [From: Fri Jul 16 03:00:00 EEST 2004,
               To: Wed Jul 16 02:59:59 EEST 2014]
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SHA1 Fingerprint: 19:7A:4A:EB:DB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4

Comment 3 Joe Orton 2011-08-04 15:26:49 UTC
Our authoritative source for trusted root CAs is Mozilla; this root is not in there, so we don't ship it.  Not much more we can do about this; we don't want to start vetting individual CA roots in Fedora.

Comment 4 David Juran 2011-08-05 12:10:29 UTC
Fair enough.
 For what it's worth, I've now filed the same question with mozilla in https://bugzilla.mozilla.org/show_bug.cgi?id=676799