direct SSL certificate pinning for and (wget local CA workaround)


ID: 81
PHID: PHID-TASK-4bwehywjhygtnz2beidw
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal


Since direct SSL certificate pinning for and (curl method) (T80) would have to wait a long time, until Debian stretch, this ticket is for an alternative approach.

Please make sure you’ve read T80 first.

wget has no feature for direct certificate pinning (feature request).

Eventual Workaround… Creating a own local certificate authority, add only the one certificate we want to use. Approach:

    wget --ca-certificate <file>
    openssl s_client -showcerts -connect >/tmp/x.cert </dev/null
    openssl x509 -in cert.pem -noout -text -pubkey 

Open question: How to sign a certificate if you have no access to the private key and CSR (certificate signing request)?

OpenSSL users mailing list: Sign public key without having CSR or private key?; might work - didn’t test, not sure if it could work.