Permalink
Browse files

Add Root CA with SHA1 signature

This is required for some versions of OpenSSL having trouble
to establish and verify the new certificates for rubygems.org

SHA-1-based signatures for trusted root certificates are not a
problem because TLS clients trust them by their identity, rather
than by the signature of their hash.

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
  • Loading branch information...
luislavena committed Nov 11, 2014
1 parent 7ca3998 commit 5a31f092d483ea7ccd91adbf08a88593cf0fbbc7
Showing with 25 additions and 0 deletions.
  1. +25 −0 lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem
@@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

3 comments on commit 5a31f09

@indirect

This comment has been minimized.

Show comment
Hide comment
@indirect

indirect Nov 12, 2014

Member

As far as I can tell, this is the only cert that is needed. Do we need to keep the other AddTrust cert for some reason?

Member

indirect replied Nov 12, 2014

As far as I can tell, this is the only cert that is needed. Do we need to keep the other AddTrust cert for some reason?

@luislavena

This comment has been minimized.

Show comment
Hide comment
@luislavena

luislavena Nov 12, 2014

Member

@indirect this was done as requested by Eric (keep them both root certs).

I did confirm that the SHA384 version didn't work with current certs, only the SHA1 version, but that is something we can clear up at a later time.

Member

luislavena replied Nov 12, 2014

@indirect this was done as requested by Eric (keep them both root certs).

I did confirm that the SHA384 version didn't work with current certs, only the SHA1 version, but that is something we can clear up at a later time.

@indirect

This comment has been minimized.

Show comment
Hide comment
@indirect

indirect Nov 12, 2014

Member
Member

indirect replied Nov 12, 2014

Please sign in to comment.