Tech Support Forum banner
Status
Not open for further replies.

How to verify a certificate.

2K views 12 replies 3 participants last post by  MitchConner 
#1 ·
I use Claws Mail and I get repeated warnings that the gmail pop3 certificate has changed. During the past week i received three different certificates all claiming to be the pop.gmail.com certificate, each with a different fingerprint:

MD5: 77:2E:83:46:B7:FA:A7:8E:16:30:20:BC:32:4A:B7:5D
SHA1: 7E:FE:1A:5A:FD:15:1F:63:70:B9:81:9A:C9:EA:EF:EC:4A:42:59:46

MD5: 4B:8B:1C:D3:A8:4D:84:30:9D:C9:C7:47:61:C2:CF:86
SHA1: 7F:C7:46:5F:50:4E:2A:84:6B:E8:C6:4F:37:B6:34:52:34:B8:BF:77

MD5: C7:A6:CA:35:34:8A:EC:1E:D5:B4:91:88:C4:16:25:99
SHA1: 32:C8:D9:C3:FA:34:A1:0C:7F:21:EB:6C:A1:7B:F3:75:DA:95:9E:93

Maybe gmail uses several certs but I decided to make sure. I got nowhere on the gmail questions forum so I looked in the Claws mail cert folder and found there is one of the gmail server certs and also a certificate chain which shows the root certificate is Geo Trust Global CA so I looked at the root certificates on the GeoTrust site. The fingerprints on the GeoTrust Global CA root certificate on that site do not match the fingerprints on the certificate chain I have.
Can anyone tell me is there something wrong here or not ?
I tried to upload the cert chain in its original format but that would not work so I attached it as a text file
 

Attachments

See less See more
#3 ·
#11 ·
I know how you verify a chain. My point is how do you verify the root certificate ?
OK to put it another way.
I could make myself a root certificate I could call it whatever I want to call it so I call my root certificate GeoTrust Global CA. I then use that certificate to sign a certificate I call Google Internet authority I then use that certificate to sign another one called pop.gmail.com
That chain would check out because each cert is signed by the one above it so the entire chain is trusted only because the root cert is trusted.
How do you know whether the root cert was created by me or created by GeoTrust when the root cert on the GeoTrust site does not match it regardless ?
 
#13 ·
You can create your own cert and call it whatever you want. That's called a self signed cert. You can't call it geotrust etc as that isn't a valid identity for the certificate, but even if you did, it would still be untrusted as it wouldn't be signed by a certificate authority.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top