Fedora User Certificates

Kai Engert kaie at redhat.com
Fri Aug 22 19:04:31 UTC 2008

Martin Sourada wrote:
> On Fri, 2008-08-22 at 10:20 -0500, Dennis Gilmore wrote:
>> Effective immediately we have replaced the CA that is in use for 
>> cvs.fedoraproject.org and koji.fedoraproject.org  This effects uploading to 
>> lookaside cache and building packages.
>> There are some manual steps that everyone needs to do to be able to use the 
>> systems again.
>> they are 
>> login to https://admin.fedoraproject.org/accounts/  and click on the "Download 
>> a client-side certificate" link at the bottom of the home page.  save the 
>> output to ~/.fedora.cert
>> rm ~/.fedora-server-ca.cert ~/.fedora-upload-ca.cert
>> fedora-packager-setup
>> then open your browser got to Edit -> Preferences -> Advanced -> Encryption -> 
>> View Certificates -> Your Certificates 
>> Select your existing Certificate and remove it  
>> then import the new one from ~/fedora-browser-cert.p12  you will be able to 
>> log in to koji
> I did this and I am still not able to log in to koji (trying with epiphany and firefox). This error pops out:
> Secure Connection Failed
> An error occurred during a connection to koji.fedoraproject.org.
> Peer does not recognize and trust the CA that issued your certificate.
> (Error code: ssl_error_unknown_ca_alert)
> The page you are trying to view can not be shown because the
> authenticity of the received data could not be verified.
>     * Please contact the web site owners to inform them of this problem.
> Is it me, or is it koji problem?
> Thanks,
> Martin

Parts of the Fedora infrastructure do not use certificates issued by a
CA already trusted by Firefox, but from Fedora's own certificate authority.

If you decide to trust Fedora to issue certificates that can identify
web sites, you could decide to import that CA cert to your set of
trusted roots.

You could go to https://admin.fedoraproject.org/fingerprints and install
the CA certificate available from the bottom of that page.

(Unfortunately the mime type currently is not application/x-x509-ca-cert
so you have to safe that file, and then open it, you might even have to
go to certificate manager and open the authorities tab, then import from

You can confirm the origin of the certificate by comparing the
fingerprint presented by Firefox with the one listed on the fingerprints
page (at least you'll know that the fingerprints page and the CA are
controlled by the same people).

Hope that helps,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3428 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080822/a9466670/attachment.bin>

More information about the fedora-devel-list mailing list