Use the command line to partially solve the CNNIC certificate Problem

The following is more difficult than the existing methods that are being applied. If you are in trouble, use various graphic methods. The method is valid for Firefox 3.6 & chrome & wget & curl. The author does not need opera. If he knows what to do, he can bubble up.

0. Delete the original system certificate.

This part is only applicable to Debian/ubuntu. Other releases may not be this file. If you have any mistakes, please correct them.

Sudo RM/usr/share/Ca-Certificates/Mozilla/entrust.net _ secure_server_ca.crt

Note: If the ca-certificates package is upgraded, this file will be returned. What should I do?

Debian/Ubuntu also needsDpkg-reconfigure ca-certificatesIs complete. I don't know how to make other releases. The reason is that/etc/SSL/certs/ca-certificates.crt is a collection of certificates.

The method for verifying the success (this is the first line of the useful part of the file that was deleted just now). No matching indicates success.

Grep "miie2dccbeggawibagien0rsqzanbgkqhkig9w0baqufadcbwzelmakga1uebhmc"/etc/SSL/certs/ca-certificates.crt

1 pack

# Different releases
# Debian/Ubuntu users. fcicq loves sudo: d
Sudo apt-Get install libnss3-tools
# Fedora users
Su-c "yum install nss-Tools"
# Arch Linux Users
Sudo Pacman-s NSS
# Add use to Gentoo users
Sudo sh-c "Echo 'dev-libs/NSS utils '>/etc/portage/package. Use"
Sudo emerge Dev-libs/NSS
 

The author only tests on Ubuntu, and does not ensure that the installation of other systems is correct. After that, you can execute certutil. If not, leave a message.

2. Download the certificate

Download the https://dl.dropbox.com/u/1356279/proxys/CNNIC.7z and unzip it ~. It will be cleared later, please rest assured

 
# Don't say you don't have p7zip. If you don't have one, decompress it yourself.
CD; wget https://dl.dropbox.com/u/1356279/proxys/CNNIC.7z
P7zip-D cnnic.7z
 

3.1 Firefox cleanup

First enter the profile directory

 
# If your Firefox has multiple profiles, or you want to put them elsewhere, find a solution...
Cd ~ /. Mozilla/Firefox/*. Default
 

The principle is to first try to modify the original certificate and then add a new certificate.

# Error messages are normal
Certutil-D.-M-T ""-n "cnnic ssl" | certutil-D.-A-I ~ /CNNIC/cnnicssl. CRT-n "cnnic ssl"-T ""
Certutil-D.-M-T ""-n "CNNIC root" | certutil-D.-A-I ~ /CNNIC/cnnicroot. CRT-n "CNNIC root"-T ""
Certutil-D.-M-T ""-n "entrust.net secure server ca" | certutil-D.-A-I ~ /CNNIC/entrust. netsecureservercertificationauthority. CRT-n "entrust.net
Secure Server ca "-T ""

 

How to view results

Certutil-D.-l

3.2 chrome cleanup

Chrome users may have noticed linuxcertmanagement.

# Errors are normal. No errors occur because you have executed them twice.
Certutil-d SQL: $ home /. PKI/nssdb-m-T ""-n "cnnic ssl" | certutil-d SQL: $ home /. PKI/nssdb-a-I ~ /CNNIC/cnnicssl. CRT-n "cnnic ssl"-T ""
Certutil-d SQL: $ home /. PKI/nssdb-m-T ""-n "CNNIC root" | certutil-d SQL: $ home /. PKI/nssdb-a-I ~ /CNNIC/cnnicroot. CRT-n "CNNIC root"-T ""
Certutil-d SQL: $ home /. PKI/nssdb-m-T ""-n "entrust.net secure server ca" | certutil-d SQL: $ home /. PKI/nssdb-a-I
~ /CNNIC/entrust. netsecureservercertificationauthority. CRT-n "entrust.net secure server ca"-T ""
 

How to view results

Certutil-d SQL: $ home/. PKI/nssdb-l

4 Test

Https://tns-fsverify.cnnic.cn/
Https://www.enum.cn/

5. Clean up the site

 
# Unless you are the person in the directory, there will be no such directory name, right, there is a file deletion error is not responsible.
Rm ~ /Cnnic.7z; RM-R ~ /CNNIC
 

6. command reference

Certutil

7 postscript

I did not delete the certificate, but the certificate was not verified. If you don't like it, you can change it by yourself. For more information about the commands, see.

In fact, the biggest problem is that entrust.net trusts CNNIC.Some people say that they can defend against attacks without upgrading the browser, which is a joke.

The browser Arora is very interesting, but its immune operation failed occasionally.Does anyone know how to do this?

The following are not related to Linux.

In addition, the Windows server administration pack contains certutil.exe. If you have any conditions, try an immunization tool. Win32 also has the Mozilla version certutil.exe (which may need to be compiled by yourself ).ProgramThe name is about to fight.