Ubuntu
ca-certificates package

Ubuntu Root Certification Policy

Asked by Jegan

Hi, I am a researcher and I have the following questions to ask.

Does Ubuntu have a root certification policy which dictates the criteria in which a root certificate is added?
If such decisions are deferred to other organizations (Like Mozilla or etc), which organizations are used and how does Ubuntu select which certificates to include or not include?
Additionally how does Ubuntu handle things like name constrains and certificate restrictions within the operating system?
Are there any resources which can further explain answers to these questions?

I understand that the root store is based off the NSS but the NSS itself includes 148 certificates (According to Firefox).
Meanwhile the root certificates included in Ubuntu 20.04 differs from the NSS, it has 128 certificates and only 120 of them are included in the NSS. Hence I would like some information in understanding the discrepancy.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ca-certificates Edit question
Assignee:
No assignee Edit question
Solved by:
Bernard Stafford
Solved:
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said : 		#1

http://manpages.ubuntu.com/manpages/trusty/man1/verify.1ssl.html
https://askubuntu.com/questions/882558/how-is-the-ubuntu-root-ca-store-created
https://help.ubuntu.com/community/GnuTLS
https://wiki.ubuntu.com/CAcert
https://ubuntu.com/server/docs/security-certificates
The HTTPS example, a CA-signed certificate provides two important capabilities that a self-signed certificate does not.
https://ubuntu.com/security/notices/USN-3270-1 -> NSS vulnerabilities
https://ubuntu.com/security/notices/USN-4397-1 -> NSS vulnerabilities
https://ubuntu.com/security/notices/USN-4234-1 -> Firefox vulnerabilities
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12399.html
https://help.ubuntu.com/community/SSH/OpenSSH/Keys -> Public key authentication is more secure than password authentication.

Revision history for this message
Bernard Stafford (bernard010) said : 		#2

https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate
http://certification-static.canonical.com/docs/Ubuntu_Server_Hardware_Certification_Policy_Guide.pdf

Revision history for this message
Bernard Stafford (bernard010) said : 		#3

https://en.wikipedia.org/wiki/Certificate_authority
https://www.ssl.com/faqs/what-is-a-certificate-authority/
https://cheapsslsecurity.com/blog/what-is-a-certificate-authority-ca/
https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server
https://ubuntu.com/server/docs/security-certificates

Revision history for this message
Jegan (jegan019) said : 		#4

Thank you for the resources.

The resources a range of topics which don't entirely provide the information I am seeking. So let me rephrase my questions based on the resources provided.

1) Ubuntu does not maintain a Root Certificate Program where CAs can apply to have a root certificate present in ca-certificates (Which is Ubuntu's root store). Is this statement true or false? If it is false then what is the Root Certificate policy, other then making a bug request, is there any formal policy. For example, Microsoft has a root certificate program and the documentation is available here. (https://docs.microsoft.com/en-us/security/trusted-root/program-requirements)

2) Mozilla's NSS does have some overlap with Ubuntu's root certificate store. What is the extent of that overlap, specifically how much of decisions pertaining to the inclusion and exclusion of root certificates are deferred to Mozilla.

3) Evidence shows that not all certificates included in the NSS are also included in ca-certificates. Some of the resources shown points to NSS and Firefox vulnerabilities, does that mean that discrepancies are due to Ubuntu removing certificates affected by these vulnerabilities?

4) What does the Ubuntu operating system use for TLS. OpenSSL, GNUTLS or NSS?

While additional resources are helpful, I would prefer if anyone can provide answers.

Thank you very much

Revision history for this message
Best Bernard Stafford (bernard010) said : 		#5

1) Ubuntu does not have a root certificate store. Each server owner purchases a certificate from a independent cert site.
     One example is Verisign : https://www.verisign.com/en_US/company-information/index.xhtml . The list is too vast to list
      all of them. Ubuntu is not limited to a defined cert only, this lowers the cost and is more versatile. Microsoft has to have their
      own + which other the owner wants to purchase for the server. The guidelines are the security section of the server
      documentation that I posted above. Programs on Ubuntu like certmonger and others make it easier to deal with certs.
2) Mozilla has many decisions regarding certs. One example was the certs involved within Firefox 78 when it was compromised
     Mozilla's NSS voided all of those certs. Documentation is posted above.
3) That is True. Between Ubuntu and NSS also which watches cert validation their is a program on Ubuntu that checks cert. for
     validation every time a login is made or goes online through the server which is monitored and automatically checked,
     needed rejected and documented in a log.
4) Each of these are different packaging through Ubuntu. Example is TLS - https://ubuntu.com/server/docs/service-ldap-with-tls
     Packaging example : https://packages.ubuntu.com/focal/libapache2-mod-gnutls
     This is only one of many different options for packaging : https://packages.ubuntu.com/focal/libgnutls-openssl27
      NSS packaging : https://packages.ubuntu.com/focal/nss-plugin-pem One of many for NSS.
5) Ubuntu has packaging options that are very vast and many that is up to the Administrator & or Owner to add after Ubuntu
     Server is in place. Ubuntu is versatile through its very huge amount of program packaging options. First you start with
     the basic server program install and decide what type of server you need, what you are using it for, how large it needs to
     be. Huge volume Ubuntu servers have packaging such as: https://packages.ubuntu.com/focal/openstack-debian-images
     https://wiki.ubuntu.com/OpenStack Openstack can handle huge volume of logins, Cloud computing.
     https://www.openstack.org/

Revision history for this message
Bernard Stafford (bernard010) said : 		#6

https://ubuntu.com/download/server

Revision history for this message
Bernard Stafford (bernard010) said : 		#7

https://ubuntu.com/support

Revision history for this message
Bernard Stafford (bernard010) said : 		#8

Not to confuse you. : Ubuntu Server download of the iso comes with its own CA certificates within the initial install.
Other certs may be purchased through independent agencies if they are wanted or needed.

Revision history for this message
Jegan (jegan019) said : 		#9

Thanks Bernard Stafford, that solved my question.

Revision history for this message
Jegan (jegan019) said : 		#10

Thank you very much for answering the questions. This helps a lot.