Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

What certificates are needed in Certmgr?

Feb 20, 2015 7:11AM PST

Discussion is locked

- Collapse -
Answer
Certs
Feb 21, 2015 5:43AM PST

Hi Bob,

I assume you are referring to the Root CA store. These are basically the CA's that your device trusts to sign for the authenticity of other certificates. MY understanding of the Lenevo Superfish iisue wasn't that there was malicious code in the cert, but rather by having the cert in the trustes root CA store, users were unknowingly trusting all certs signed by the SuperFish cert. Simply removing it from the store, will prevent the device from automatically trusting a cert signed by tha CA. I don't know of any software that scans for "bad" certs. I know with Firefox, you can enable OCSP checking for certs.

I hope this helped.

Rob

- Collapse -
Link shows a Superfish Inc Cert.
Feb 21, 2015 5:53AM PST
- Collapse -
Trusted CA's
Feb 21, 2015 6:23AM PST

Hey Bob,

I am not aware of a comprehensive list, or software out there that indicates who to trust. Some of the industry major players are Verisign, Digicert, Geotrust, Thawte, GoDaddy, Network Solutions & Comodo. But this is not an exhaustive list by any means.

I know this isn't very helpful, but trust like beauty is in the eye of the beholder. Wink

Rob

- Collapse -
Looks like another area to find scanner or such tools soon.
Feb 21, 2015 6:25AM PST

Thanks for sharing your list.

- Collapse -
Tools
Feb 21, 2015 6:33AM PST

Yep, Not only do we now have to consider the crapware that is pre-installed on devices, but now with the SuperFish goat rope, we now have to worry about crapcerts.

- Collapse -
Just for fun
Feb 21, 2015 8:35AM PST

I booted to a USB Linux MInt with Firefox, deleted all the Certificates except for Verisign. Took awhile to get them all too! I then visited some places and they didn't display correctly unless I started adding certs back in. The biggest was Google certificate which opened up a lot of sites that wasn't displaying correctly. Forums at CNET however worked OK without added certs, so maybe they use Verisign still, as in the past. Eventually however after doing yahoo and aol mail and some other pages I discovered most if not all the major certificates by adding what was offered from those sites, were back in the Certificates area of the browser again.