I believe The actual problem is *not* the lack of the intermediate certificate "CN=VeriSign Class 3 Extended Validation SSL SGC CA", it is in fact that a root certificate
was present in ca-certificates 2010.63-3, but missing in the recently released ca-certificates-2011.78-1.fc14.noarch. The missing CA certificate is still valid according to VeriSign and Mozilla.
This is a bit confusing, although the root certificate is valid, VeriSign stopped using it for signing in 5/2009, replacing it with another certificate with the same subject and keyid, but a different serial number (3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be), as part of their move away from MD2 signatures.
My workaround: Add the dropped certificate manually back into /etc/pki/tls/certs/ca-bundle.crt
I notice that big sites such as vonage, paypal, optionsxpress still deliver certificates whose trust is ultimately established by the now missing root certificate.
I believe The actual problem is *not* the lack of the intermediate certificate "CN=VeriSign Class 3 Extended Validation SSL SGC CA", it is in fact that a root certificate
Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority 1d:10:d9: 29:34:b6: 38:ca:7b: 03:cc:ba: bf
Serial: 70:ba:e4:
was present in ca-certificates 2010.63-3, but missing in the recently released ca-certificates -2011.78- 1.fc14. noarch. The missing CA certificate is still valid according to VeriSign and Mozilla.
This is a bit confusing, although the root certificate is valid, VeriSign stopped using it for signing in 5/2009, replacing it with another certificate with the same subject and keyid, but a different serial number (3c:91: 31:cb:1f: f6:d0:1b: 0e:9a:b8: d0:44:bf: 12:be), as part of their move away from MD2 signatures.
My workaround: Add the dropped certificate manually back into /etc/pki/ tls/certs/ ca-bundle. crt
I notice that big sites such as vonage, paypal, optionsxpress still deliver certificates whose trust is ultimately established by the now missing root certificate.