Bug 1565936 - Install thawte CA certificate
Summary: Install thawte CA certificate
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ca-certificates
Version: 6.10
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-11 05:59 UTC by Sham Antony
Modified: 2018-06-21 11:40 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-21 11:40:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Sham Antony 2018-04-11 05:59:26 UTC
Description of problem:

Customer is insisting to include "thawte" CA certificate along with other CA which comes with ca-certificates.


Latest ca-certificates for RHEL 6.X is ca-certificates-2017.2.14-65.0.1.el6_9.noarch which doesn't contains "thawte" CA.

Following resolved the issue

# update-ca-trust enable

# cp thawte_sha256_ssl.crt  /etc/pki/ca-trust/source/anchors/ 

# update-ca-trust extract

but the customer don't want to perform the same, insisting to include mentioned CA.

Comment 2 Kai Engert (:kaie) (inactive account) 2018-06-01 15:52:28 UTC

The provided link doesn't work. I need to see the exact certificate the customer is inquiring about.

Comment 3 Maximilian Maier 2018-06-19 10:49:56 UTC

the search on thawte.com doesn't work anymore. Moved to digicert.com.

You can find the certificate(s) here:
thawte SHA256 SSL CA

Comment 4 Kai Engert (:kaie) (inactive account) 2018-06-21 11:40:08 UTC
I assume you're enquiring about this one:

        Issuer: "CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US"

        Subject: "CN=thawte SHA256 SSL CA,O="thawte, Inc.",C=US"

This isn't a root CA. It's an intermediate CA.

We intentionally don't include any intermediate CAs in the ca-certificates package.

A common situation is that clients connect to a server, and the client is unable to verify the server's certificate, because the server didn't include the intermediate.

However, servers are REQUIRED to include the intermediate CAs related to the server's cert in their SSL/TLS handshake message.

In order to do so, the server software must be configured with a copy of the intermediate CA(s).

The CA that issued that server certificate should provide documentation for that.

The server software product that is used should have documentation for configuring intermediate CAs.

Note You need to log in before you can comment on or make changes to this bug.