#12710 closed enhancement (invalid)
Add Unizeto / Certum CA to JOSM
Reported by: | wiktorn | Owned by: | team |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | Core | Version: | |
Keywords: | Cc: | stoecker |
Description
As a followup to #12264.
Patch is present here:
https://josm.openstreetmap.de/changeset/10085/josm
Certificates issued by Unizeto / Certum are used by some of the WMS services in Poland. To overcome issues with using these services, Polish community prepared instructions how to add these certificates to KeyStore but this solution is not friendly for those less fluent with general computing.
Unizeto certificate is included in most browsers (IE, Mozilla, Chrome). I don't use Safari, so I'm not sure if it's included there.
More information about the certificate on ssl-tools:
https://ssl-tools.net/subjects/b7b914aa326824841f36325549de03f1ef51f613
Attachments (0)
Change History (6)
comment:1 by , 8 years ago
Type: | defect → enhancement |
---|
comment:2 by , 8 years ago
comment:3 by , 8 years ago
Ok, I guess, that I know better understand the issue.
Java and Firefox includes this cert:
https://ssl-tools.net/certificates/07e032e020b72c3f192f0628a2593a19a70f069e.txt
(serial: 279744)
This is the root certificate for Certum. The one I'm proposing to add, is intermediary and signed by serial: 279744.
The problematic server is:
https://emuia1.gugik.gov.pl/emuia/
It works properly in Chrome and Internet Explorer, but do not in Firefox. Probably because this certificate (the one I propose to add) is present as intermediary CA in Windows Key Store.
When I checked Qualsys report:
https://www.ssllabs.com/ssltest/analyze.html?d=emuia1.gugik.gov.pl
It looks like the server certificate doesn't send intermediate certificates together with its own, that's why Firefox is complaining. Did the server send intermediary CA certificate, I guess that it would work in Java and Firefox.
I'll try again to contact service provider with all this information, maybe I'll get them to fix this problem.
comment:4 by , 8 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Yes, at least for Certum, Java only includes root CA, not intermediate ones. So you're right in the analysis, it's a provider issue, not something to fix on JOSM side :)
comment:5 by , 8 years ago
Maybe this links helps them: http://stackoverflow.com/questions/8120690/tomcat-doesnt-deliver-intermediate-certificate-https
comment:6 by , 8 years ago
I don't see any changes on SSL test page. Can you tell us what results you have?
Certum is trusted by default in the JRE, that's why we're customers... There's something wrong here.