# 'Untrusted but not blacklisted' certificates

## Telemin

Hello All,

I just updated app-misc/ca-certificates to the latest 20140223.3.15.5 version.  I noticed in the package output a string of warnings:

```

Ignoring certificate "UTN-USER First-Network Applications".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST

Ignoring certificate "UTN USERFirst Object Root CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST

Certificate "MD5 Collisions Forged Rogue CA 25c3" blacklisted, ignoring.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrusted AC DG Tresor SSL"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Ignoring certificate "TC TrustCenter Universal CA III".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Mozilla Addons"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Global Trustee"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus GMail"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Google"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Skype"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 1"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 2"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 3"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus live.com"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus kuix.de"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Root CA"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Services 1024 CA"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA 2nd"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid G2"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

```

And so on...

Can someone who understands the way certificates are handled in gentoo explain to me what is going on here?  Is this a problem with my system?  Expected behaviour for this package?

I understand the concepts of public key cryptography well enough, but not the way gentoo handles it. Is this telling me that I have bogus ca-certs installed?

-Telemin-

----------

## mvaterlaus

hi,

have you read the emerge post message of that ebuild? it states an command, which removes old symlinks like following

```

find -L /etc/ssl/certs/ -type l -exec rm {} +

```

also, update the ca-certificates with the following command

```

update-ca-certificates

```

----------

## Telemin

Hi mvaterlaus,

I do not have any old/hanging symlinks, and am aware of the update-ca-certificates command.  However I don't believe either of those things are relevant to the behaviour of the package at compile time.  I want to know from someone who understands the package, likely a member of the gentoo security team, why the warnings are generated and why those keys are even there if they are untrusted.

-Telemin-

----------

## pentium4borg

I'm seeing the same sorts of messages with =app-misc/ca-certificates-20140927.3.17.2. I have run update-ca-certificates, removed any broken symlinks (find -L /etc/ssl/certs/ -type l -exec rm {} +), and reinstalled ca-certificates, but the messages were present on reinstallation.

These messages are very worrying. Can anyone shed some light as to what is happening?

Thanks.

----------

## jagdpanther

I also am seeing these types of messages with my update to ca-certificates-20151214.3.21.  Any ideas?

----------

## gordonb3

This is normal behaviour for this package. ca-certificates is derived from the nss sources which apparently is meant to do something with certificates that have for some reason become untrusted at some time, e.g. because they expired. This info is included in the certdata file and the package provided parser that creates the individual .crt files spits out this message when it hits the not trusted flag. It's ugly and I guess the Gentoo devs could provide a patch for the parser to silence that warning, but for some reason they don't. In any case, there is no need to worry.

----------

