gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root

Werner Koch wk at
Fri Apr 3 14:34:26 CEST 2009

On Thu,  2 Apr 2009 14:28, bernhard at said:
> Something is wrong with 
> CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE 
> Corporation,C=US,serial#: 01A5

In libksba/tests you find a useful tool for such cases:

  $ ./cert-basic GTE-CyberTrust-Global-Root.der 
  Certificate in `GTE-CyberTrust-Global-Root.der':
    serial....: (#01A5# )
    issuer....: `CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US'
    subject...: `CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US'
    notBefore.: 1998-08-13 00:29:00
    notAfter..: 2018-08-13 23:59:00
    hash algo.: 1.2.840.113549.1.1.4 (md5withRSAEncryption)
  cert-basic.c:285: enumerating extensions failed: No value
  SubjectKeyIdentifier: none
  AuthorityKeyIdentifier: none
  cert-basic.c:343: ksba_cert_is_ca failed: No value
  KeyUsage: Not specified
  ExtKeyUsages: none
  CertificatePolicies: none
  cert-basic.c:453: ksba_cert_get_crl_dist_point failed: No value
  cert-basic.c:472: ksba_cert_get_authority_info_access failed: No value
  cert-basic.c:491: ksba_cert_get_subject_info_access failed: No value
"ksba_cert_is_ca failed" is the problem with that certificate.  It is a
root certificate but it does not say so in its signedAttributes. Hmmm,
there are no signed attributes at all.

BTW, I consider this a feature of GnuPG: Wouldyou really trust a CA
which issues a root certificate valid for 20 years?  That was even
ridiculous back in 1998.  The use of MD5 was kind of justified 11 years

Don't spend any more time on this, you better use plaintext than GTE
Cybertrust "secured" encryption.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list