Red Hat Bugzilla – Bug 158065
Lack of Unizeto certificates
Last modified: 2007-11-30 17:11:06 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4
Description of problem:
Unable to verified certs made by Unizeto. In Windows wersion (and earlier for Fedora) there are several Unizeto certs. In this version is only one - Centrum CA.
Probably not only Unizeto certs are missing.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Edit->Preferences->Advanced->Manage Certificates->Authorities
2. Find Unizeto So. z o.o.
Actual Results: There is only one cert.
Expected Results: Should be more.
I can provide sample server with that certificate which display info it's not verified (after upgrade to this version).
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.
Still true on Epiphany from Fedora Core 6 (running on RHEL5b2). However, there
may be some confusion -- official list of CAs supported by Mozilla
(http://hecker.org/mozilla/ca-certificate-list) shows that the CA is called
Unizeto CERTUM CA (and despite the Italian-sounding name, it is a Polish
company), and it is supposed to have one root cert (which we apparently have),
and three sub-certs, which are verified because of the root cert.
Reporter, could you please indicate a server, which is not verified by the
This is something that probably belongs to the NSS component anyway....
I believe this bug is invalid.
Marcin, it is not necessary that Thunderbird ships the additional subordinate /
A server that uses a certificate from one of the subordinate CAs should be
configured to send out the intermediate cert required to chain up to the root,
in addition to the server cert. This is common practice. Another good example is
Verisign, which also uses an intermediate CA to issue server certs, which is not
shipped with Thunderbird either.
You can verify this is correct: Go to the page listed in comment 2, find the
CERTUM ca row, and click on any of the "CERTUM Level" links. BUT DO NOT CLICK
OK. Click on the "view certificate" button. You'll get a window, that displays
the verification status on the top. It will say that the cert can be verified.
(You should cancel both dialogs after you looked at the information).
I believe there is no bug, and I'm proposing to resolve it as INVALID.
If you can show us a sample server that does not verify as expected, despite the
server sending out the intermediate certs, please let us know.
I reported this issue 1,5 years ago, because mail server of my university had
stopped working with SSL out-of-box.
This issue still occurs with "oceanic.wsisiz.edu.pl" (ssl, port 995). I checked
it on a new profile in thunderbird 126.96.36.199 (fc5). If it's needed I can try with
188.8.131.52 on fc6 (on an another computer tomorrow).
If you, Kai, think that it sould work, maybe there is something with that
Marcin, when I connect to that server, the server sends me a single certificate.
The certificate was issused by
Issuer: C=PL, O=Unizeto Sp. z o.o., CN=Certum Level III
You should get the Level III certificate, and add it to the configuration of
I do not know how you would configure that server. Please see the documentation
of the server software. Look for instructions on how to configure / add an
As soon as that server sends out both certificates on a connection, Thunderbird
will automatically trust the server.
Based on the test environment I'm resolving this as NOTABUG.
If you claim this is a problem with configuration of a server and in normal case
Centrum CA certificate is enough then OK.
Thanks for point a real problem out. I'll try to manage something with sending