Modify

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#12710 closed enhancement (invalid)

Add Unizeto / Certum CA to JOSM

Reported by: wiktorn Owned by: team
Priority: normal Milestone:
Component: Core Version:
Keywords: Cc: stoecker

Description

As a followup to #12264.

Patch is present here:
https://josm.openstreetmap.de/changeset/10085/josm

Certificates issued by Unizeto / Certum are used by some of the WMS services in Poland. To overcome issues with using these services, Polish community prepared instructions how to add these certificates to KeyStore but this solution is not friendly for those less fluent with general computing.

Unizeto certificate is included in most browsers (IE, Mozilla, Chrome). I don't use Safari, so I'm not sure if it's included there.

More information about the certificate on ssl-tools:
https://ssl-tools.net/subjects/b7b914aa326824841f36325549de03f1ef51f613

Attachments (0)

Change History (6)

comment:1 by Klumbumbus, 8 years ago

Type: defectenhancement

comment:2 by Don-vip, 8 years ago

Certum is trusted by default in the JRE, that's why we're customers... There's something wrong here.

comment:3 by wiktorn, 8 years ago

Ok, I guess, that I know better understand the issue.

Java and Firefox includes this cert:
https://ssl-tools.net/certificates/07e032e020b72c3f192f0628a2593a19a70f069e.txt

(serial: 279744)

This is the root certificate for Certum. The one I'm proposing to add, is intermediary and signed by serial: 279744.

The problematic server is:
https://emuia1.gugik.gov.pl/emuia/

It works properly in Chrome and Internet Explorer, but do not in Firefox. Probably because this certificate (the one I propose to add) is present as intermediary CA in Windows Key Store.

When I checked Qualsys report:
https://www.ssllabs.com/ssltest/analyze.html?d=emuia1.gugik.gov.pl

It looks like the server certificate doesn't send intermediate certificates together with its own, that's why Firefox is complaining. Did the server send intermediary CA certificate, I guess that it would work in Java and Firefox.

I'll try again to contact service provider with all this information, maybe I'll get them to fix this problem.

comment:4 by Don-vip, 8 years ago

Resolution: invalid
Status: newclosed

Yes, at least for Certum, Java only includes root CA, not intermediate ones. So you're right in the analysis, it's a provider issue, not something to fix on JOSM side :)

comment:6 by stoecker, 8 years ago

I don't see any changes on SSL test page. Can you tell us what results you have?

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.