Technologist

Tech stuff about Cloud, DevOps, SysAdmin, Virtualization, SAN, Hardware, Scripting, Automation and Development

Browsing Posts in Mac

Have you had issues with an application complaining about SSL/TLS connectivity to a server?

If the server is using a valid third party signed certificate you should not see issues connecting from a web browser, but maybe you will issues connecting from the command line or from an application.

The way SSL/TLS work in short, is that the client(web browser, command line shell, application, etc) connects to the server and the server responds with a certificate.
This server certificate is signed by a Certificate Authority (CA) and the client checks if the CA is in its trusted Certificate Authorities local database to be able to trust the server certificate.

Web browsers have their own trusted Certifcate Authority databases or use the Operating Systems’ and that is why your browser does rarely complain if the server certificate is signed by a valid CA.

Flow:
Client —-> Server
Server — SSL/TLS certificate –> Client
Client checks server certificate against its CA database to trust or not

Now let’s test from the Linux command line:
// The items in RED are the errors we are getting
// The items in BOLD is the information we need, the certificate and the issuer

We are missing the Issuer (CA) certificate:
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

…which is what we need to be able to trust the server certificate:
s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.example.com

[vagrant@vagrant ~]$ openssl s_client -connect site.example.com:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.example.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
XXXFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLXXX
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3


No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318EC872CBD4DD899493DB949E08F78A050580F70F9621ABB0ACE0C
Session-ID-ctx:
Master-Key: 4E12620FCE8592D4D272E58D9DC9C313D4A6D83B2956880279F58526526B9AB0AF8A9660AEB40F03FF46CDDFCB970A74
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439626705
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

DONE

# Get CA Issuer Certificate(s)

Now that we know we are missing the Issuer certificate we need to get it from the Certificate Authority website. In this specific case we need:
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Later you will have the exact same issue with the ‘VeriSign Class 3 Secure Server CA – G3’ certificate because it will be asking for its Issuer certificate ‘VeriSign Class 3 Public Primary Certification Authority – G5’, so you will need to get that Certificate as well.

I searched online for both and found them at:
https://www.tbs-certificates.co.uk/FAQ/en/565.html
https://www.tbs-certificates.co.uk/FAQ/en/599.html

Take everything from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and put them in files (e.g. verisign_class_3_secure_server_ca_g3.pem) and (e.g. verisign_class_3_secure_server_ca_g5.pem)

Having both files will ensure you have the entire Trust Chain:
*.example.com CERT trusted by ‘VeriSign Class 3 Secure Server CA – G3’ CERT trusted by ‘VeriSign Class 3 Public Primary Certification Authority – G5’

$ cat /tmp/ca_trust/verisign_class_3_secure_server_ca_g3.pem

—–BEGIN CERTIFICATE—–
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
—–END CERTIFICATE—–

$ cat /tmp/ca_certs/verisign_class_3_secure_server_ca_g5.pem

—–BEGIN CERTIFICATE—–
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
—–END CERTIFICATE—–

# Check CA Issuer Certificates Details

$ openssl x509 -in verisign_class_3_secure_server_ca_g3.pem -text  

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:cc:7a:a5:a7:03:20:09:b8:ce:bc:f4:e9:52:d4:91
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA – G3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:
a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:
bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:
9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:
5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:
f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:
4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:
ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:
0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:
86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:
98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:
ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:
fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:
9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:
c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:
9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:
4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:
fa:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP – URI:http://ocsp.verisign.com

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/cps
User Notice:
Explicit Text: https://www.verisign.com/rpa

X509v3 CRL Distribution Points:
URI:http://crl.verisign.com/pca3-g5.crl

X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0…+…………..k…j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Alternative Name:
DirName:/CN=VeriSignMPKI-2-6
X509v3 Subject Key Identifier:
0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
X509v3 Authority Key Identifier:
keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33

Signature Algorithm: sha1WithRSAEncryption
0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:
a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:
e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:
33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:
f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:
19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:
27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:
a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:
b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:
d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:
95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:
98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:
05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:
9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:
a4:c4:cb:66
—–BEGIN CERTIFICATE—–
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
—–END CERTIFICATE—–

$ openssl x509 -in verisign_class_3_secure_server_ca_g5.pem -text  

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
25:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0…+…………..k…j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Key Identifier:
7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
a8:ed:63:6a
—–BEGIN CERTIFICATE—–
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
—–END CERTIFICATE—–

# Trust the CA Issuer Certificates

There are several ways to do it, see below for some and their pros/cons.

1) Put the CA Issuer certificates in pem format in a folder, and use them directly from the application

This is good for a quick test, but I don’t recommended it as standard operating procedure because you have to manage each set of certs and have the applications point to hardcoded paths.

// Create dir to hold certs

mkdir /tmp/ca_certs

// Put the CA issuer cert in the directory

mv verisign_class_3_secure_server_ca_g3.pem /tmp/ca_certs
mv verisign_class_3_secure_server_ca_g5.pem /tmp/ca_certs

// Create symbolic links needed

$ c_rehash /tmp/ca_certs/
Doing /tmp/ca_certs/
verisign_class_3_secure_server_ca_g3.pem => 46117fcc.0
verisign_class_3_secure_server_ca_g5.pem => b204d74a.0

// Verify successful connectivity by passing the CApath

$ openssl s_client -CApath /tmp/ca_trust/ -connect site.example.com:443

CONNECTED(00000003)
depth=2 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = “(c) 2006 VeriSign, Inc. – For authorized use only”, CN = VeriSign Class 3 Public Primary Certification Authority – G5
verify return:1
depth=1 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA – G3
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.Example.com
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
MIIFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLah9
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318E8462CBD4DD899493DB949E08F78A0505C4E70F9621ABB0AA280
Session-ID-ctx:
Master-Key: 50D309E782DF245FA36BD1028197459FE1A56B976D947D2994BBB75A0754D18AD44A90F29AC818DB28562F0E9E2E5442
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439631686
Timeout : 300 (sec)
Verify return code: 0 (ok)

2) Append the CA Issuer Certificates to the OS certificate bundle (/etc/pki/tls/certs/ca-bundle.crt)

This is not recommended as standard operating procedure because patches/updates will overwrite the certificate bundle file (/etc/pki/tls/certs/ca-bundle.crt) and the certificates you had added wont be trusted anymore

$ sudo bash -c  'cat /tmp/ca_certs/verisign_class_3_secure_server_ca_g{3,5}* >> /etc/pki/tls/certs/ca-bundle.crt'

// Verify successful connectivity

$ openssl s_client -connect site.example.com:443

CONNECTED(00000003)
depth=2 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = “(c) 2006 VeriSign, Inc. – For authorized use only”, CN = VeriSign Class 3 Public Primary Certification Authority – G5
verify return:1
depth=1 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA – G3
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.Example.com
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
MIIFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLah9
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318E8462CBD4DD899493DB949E08F78A0505C4E70F9621ABB0AA280
Session-ID-ctx:
Master-Key: 50D309E782DF245FA36BD1028197459FE1A56B976D947D2994BBB75A0754D18AD44A90F29AC818DB28562F0E9E2E5442
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439631686
Timeout : 300 (sec)
Verify return code: 0 (ok)

3) Use the SharedSystemCertificates (*** Recommended ***)
This is the recommended way of adding trusted CA certificates to your RHEL/CentOS systems.
The idea is to make NSS, GnuTLS, OpenSSL and Java share a default source for retrieving system certificate anchors and black list information, details @ https://fedoraproject.org/wiki/Features/SharedSystemCertificates

// Enable the CA trust capability

/usr/bin/update-ca-trust enable

// Copy/Move the Issuer CA certificates to /etc/pki/ca-trust/source/anchors/

$ sudo cp /tmp/ca_certs/verisign_class_3_secure_server_ca_g{3,5}* /etc/pki/ca-trust/source/anchors/

// Update the CA trust

/usr/bin/update-ca-trust extract

// Verify successful connectivity

$ openssl s_client -connect site.example.com:443

CONNECTED(00000003)
depth=2 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = “(c) 2006 VeriSign, Inc. – For authorized use only”, CN = VeriSign Class 3 Public Primary Certification Authority – G5
verify return:1
depth=1 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA – G3
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.Example.com
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
MIIFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLah9
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318E8462CBD4DD899493DB949E08F78A0505C4E70F9621ABB0AA280
Session-ID-ctx:
Master-Key: 50D309E782DF245FA36BD1028197459FE1A56B976D947D2994BBB75A0754D18AD44A90F29AC818DB28562F0E9E2E5442
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439641898
Timeout : 300 (sec)
Verify return code: 0 (ok)

While working on my video library I noticed that I had to rename a bunch of files to have correct file names that include Show name and Episode name and number.

I have about 275 files named from 000-274, but I needed to rename them to specify the season and episode they correspond to.

For example, files from 125 – 150 are from season 5 of said show, and that is what I will use for this post.

An example of a file in the 125 – 150 range:
‘SHOW – 135 – Some Episode _www.unneededStuff.mp4’

As you can see the filename has the following structure (which I will modify later in this post)

(ShowName) – (filename #) – (EpisodeName)_(Extra unneeded stuff).(extension)

I will be using the Linux/Mac rename command to perform the renaming of these files (125-150).
The end result should be that these files are renamed to have numbers from 501- 526 (for Season 5), so I will use arithmetic manipulate the numbers to be what I want.
I will also clean up the name a little bit so that it does not include the ‘extra unneeded stuff’.
The name of a file should be of form:
‘SHOW – 511 – Some Episode.mp4’

First make sure you work with the specific files you want to modify and nothing else:

$ ls SHOW\ -\ 1{2{5-9},3,4,50}*

// The above will show only files between 125 – 150 will be touched/modified.
// Using Bash brace expansion will help create the list between 125 – 150
// the brace expansion will use anything that has numbers 125-129, and any 13*, 14*, 150

Use the rename command with a RegEx expression that will modify the name the way you want.
I have the following regex expression:

's/(^.+)\s-\s(\d\d\d)(.+)_www.+(\..+$)/$1." - ".($2+376).$3.$4/e'

Explanation:
// (^.+)\s-\s is the Show name plus ‘ – ‘, I am grouping just the name of the show to use it later
// (\d\d\d) is the incorrect episode number used in the filename
// (.+)_www.+ is the Episode name plus ‘unneeded stuff’, I am grouping just the episode name to use it later
// (\..+$) is the file extension, I am grouping it to use it later

// Now what was found with the above Regex will be substituted as follows:
$1 will have the Show name
“ – ” I am concatenating literal “ – “ after the show name
($2+376) I am adding the episode number + 376, which will give me the correct episode number. For example for 135, now it will be 511 (which is Season 5 episode 11)
$3 The Episode name captured from the previous regex
$4 The file extension captured from the previous regex

Run rename with -n (dry run) using the regex and file list created above to verify it will give you what you want/expect.

$ rename -n 's/(^.+)\s-\s(\d\d\d)(.+)_www.+(\..+$)/$1." - ".($2+376).$3.$4/e' SHOW\ -\ 1{2{5..9},3,4,50}*

Output:

‘SHOW – 135 – Some Episode_www.unneededStuff.mp4’ would be renamed to ‘SHOW – 511 – Some Episode.mp4’

Now run it again without -n:

$ rename  's/(^.+)\s-\s(\d\d\d)(.+)_www.+(\..+$)/$1." - ".($2+376).$3.$4/e' SHOW\ -\ 1{2{5..9},3,4,50}*

I needed to keep some content in my laptop synchronized to a NAS. Rsync is the tool of choice, but a simple Rsync command that I was using was not working:

john@mymac.example.com:~/Downloads$ rsync -avz -e ssh source/ user@nas.example.com:/data/stuff/ 
ssh: connect to host nas.example.com port 22: Connection refused
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at /SourceCache/rsync/rsync-42/rsync/io.c(452) [sender=2.6.9]

In the above case, the NAS’ ssh deamon was not listening on the default SSH port 22, it was listening on 10022.
So I modified my rsync command accordingly and tried it again:

john@mymac.local:~/Downloads$ rsync -avz -e "ssh -p 10022" source/ user@nas.example.com:/data/stuff/ 
user@nas.example.com's password:
sh: rsync: command not found
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: remote command not found (code 127) at /SourceCache/rsync/rsync-42/rsync/io.c(452) [sender=2.6.9]

This time the rsync program was not found on the NAS, but I knew I had installed the RSYNC module on the NAS. What happened is that the rsync program was not on the path, so it could not be found, but rsync allows you to specify the location of the rsync binary.

john@mymac.local:~/Downloads$ rsync -avz --rsync-path="/raid/data/module/RSYNC/system/bin/rsync" -e "ssh -p 10022" source/ user@nas.example.com:/data/stuff/
user@nas.example.com's password:
building file list ... done

sent 746 bytes  received 20 bytes  306.40 bytes/sec
total size is 8594845389  speedup is 11220424.79

Now I can successfully rsync to the NAS, even though the SSH port and the Rsync binary path are different than the defaults.

Problem:
I needed to send confidential data to other people via the Internet, so it needs to be encrypted.

Solution:
GPG is the free implementation of the OpenPGP(Preety Good Privacy) standard defined by RFC4880.
It provides a way to encrypt data using a public/private key infrastructure. You can set a Web of Trust with the people you need to share data, get their public keys, send them your public key and start encrypting and decrypting as I will show you in this guide.
GPG is available is diferent platforms including Linux, MAC, Windows(Binary version as well as in Cygwin).
you can use the OS of your choice, just make sure GPG is installed

For this demo I am using a Mac with OS 10.6

1) Make sure you have GPG installed, otherwise downloaded from http://gnupg.org/download/index.en.html
To check type:

mac:~ john$ gpg --version
gpg (GnuPG) 1.4.10
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, 
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
 

2) Generate your Private/Public Key Pair
CHOOSE THE ALGORITHM, NUMBER OF BITS AND EXPIRATION DATE (Defaults are fine)

mac:~ john$  gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You will get a warning about the expiration if you selected the default, which means it never expires.
If you want it to expire then change the value(eg 3m) will expire in 3 months.

                     
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Enter Real Name, Email and a Comment.
Try to make this as unique as possible as this will have an inpact in how your key is identified

Real name: John
Email address: john@technologist.pro
Comment: Technologist               
You selected this USER-ID:
    "John (Technologist) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.    

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

Select an empty Passphrase UNLESS you dont mind to be prompted everytime for the passphrase
Now Just wait a few seconds while the key is generated, Move the mouse and type on the keyboard to increase the randomness.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
.....+++++

In Case you get:
Not enough random bytes available.
Please do some other work to give the OS a chance to collect more entropy! (Need 284 more bytes)

DON’T PANIC, Just do stuff in your PC, write things to disk, log in to another terminal with a different user, etc.
Just do different things, that collect more entropy.

gpg: /Users/john/.gnupg/trustdb.gpg: trustdb created
gpg: key CAJD4CD7 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2999R/CAJD4CD7 2010-03-04
      Key fingerprint = 901C XXXX 94F8 7332 XXXX  1DDA 2C07 B0A5 CE4D 4CD7
uid                  John  (Technologist) 
sub   2048R/ABBB7BDC 2010-03-04

OK the set up is done, Now we need to give people in our Web of Trust (Fancy terminology for “people we trust and trust us”) our public key so they can encrypt data with our public key, so we can open it using our Private Key and
we need to get their public key to encrypt data with their public key so that they can open it using their Private Key

For Example:
If I(John) need to send an encrypted document to Ann, I need to have her Public Key, Encrypt the Data with her Public key so she can decrypt it using her Private key. It’s all about the Private/Public Key Pairs.

3) Give the people you trust your public key and get their public key
You can get the public Key by any means, including the internet, email, etc.
The public key is supposed to be public, But on the other hand, guard your Private Key with your life, it should be only readable by the owner and no one else.

Check your keys by listing them:

mac:~ john$ gpg --list-keys
/Users/john/.gnupg/pubring.gpg
--------------------------------
pub   2999R/CAJD4CD7 2010-03-04
uid                  John (Technologist) 
sub   2048R/ABBB7BDC 2010-03-04

Now Export that key into a file:
-r option tells gpg which public key to export in case you generated more than one Private/Public Key Pairs.
-o tells the output filename
–armor option is to output in a format that is understood by many applications, otherwise it will be output in gpg raw format

mac:~ john$ gpg --export -r "John Technologist" --armor -o JohnTechnologist.pub

The contents of the file should look like this:

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.10 (Darwin)

mXENBEuXCxsBCADVTdygxzkXHRgOq+i+0b7LF/pilPPJSaO1I8k1Yspa8b5onYio
1JzzPZNj2ptjnzay1tjUuLwX0tvvsG+PCBKqQLMz0ozampIjDXj379p837Omx9TV
OBFPibXazwpZEP1bBK7p6siyDh0Q72pq0zJbhwR4ptcwNheNLnN2hfAiJRTSohZo
0cbg6FRrCBCYU58cemco7QhiFcrZSY1KNzhhiQUXuAvRvoQ54FSAtTJBpEH/wkuF
WhNK+SHkn/+e99cQ4NQW8ncgrrJEYAdFvIOlABEBAAG0MUpvaG4gR2FsbG8gKFRl
Y2hub2xvZ2lzdCkgPGpvaG5AdGVjaG5vbG9naXN0LnBybz6JATgEEwECACIFAkuQ
5LaLgEs3P8KzUGbVfD41qEtLrobqG8VBuJcob4sy4FOYSW+H2tT4/XZ0n6lkTi8H
TvzTekiO3K9S1hIg+eHwNJgV8reQdRPvEuPhoOehqfHC77e11RhV2bn84mKVRoVl
VY1DkE46fz+pVqA5GSsfi7vLMIVvX/koDCbizkmxNOktdXP3ds+i7y1mIv+WEEb+
1NQYJNIZmNnmW9e6eg3mAjf99ruepd+r2OP0hBgLWxypPKsjz7VXmqiwbilzkqM5
axJPL2IP4OwRBIjV9hv5fpV17MPbdHmTh0JXGfnSMGEZai7CIpbSOWQY/nnhOjht
PQQO2xGRTcWmIwySqzCFmSiUIdONnuqwBpY5OrSTe00i//yDY/VZfZwg8qsChh3b
jlb9CRvAM6/CZFFKzkm5AQ0ES5ALGwEIAKpF1iJj0k3XvemTb+ze11SJa+Z/Rr+V
19Z7GVgTYOwu4DrNjrPuecOQ9hSzO8aWhZTpTOR9XlPcnFhgz1YKBZbHr8s/SP5r
7vlRxmE3kqEXtZ7R5IT35R6t+FJSY9H7cndcKSYQQFynAyFqslPIvEqONtWnPORn
pCEp+K5mPRiUfcObtd0TuR/C0tVUGViVs+PhVhSnoU7V6aEQNLHC4+ltsqhOSbMZ
FB3LWYGuQ33Rh4O/3raB/0ZBTKWl7nmBXyNHO6MpPQGQxSlpXPQKLukWoKIKErhX
Obs+of0Mn/dIU/vRxdtYOZ6cg1oIp0zcpzw7sYddw2AoftfH51L5h/MAEQEAAYkB
HwQYAQIACQUCS5ALGwIbDAAKCRAsB7Clzk1M19taCACSGcHuvyW0HqCyrNLO9Knj
hfAZp0OxxGBiOQbjwdG/DIeUfH9kSIlUEW8aYHUkpzYrPWMsuXy/AdeWyqy54wgD
zxmQb7SogwG2AqzLX2KoiyHJuWleRc9dxbCgByqQyPYyEfVWZykDlNueaZ1NyfQn
MFn5YqxbCBZHpo4hw5XhPJFwP8/kVjT2bQ0ctSPk5USxtxHEyP6vByEpuuBRJTEe
nHlK7/V7WJNnNQPeg6DlvA/TjsQPmuxbodxVkt04dvwoJkBiQIVsRoPRnX0VvoA1
GeLSaCyUIKWA3YnnSuGYKmQyHD9EmZPxiCGPL4tMzvjNUfJsde1QfbjsJ5W2Ti+T
=be1t
—–END PGP PUBLIC KEY BLOCK—–

4) Send that public key file to your friend and your friend will send you his public key exported from his system.
When you get his Public Key (his file), then you need to import it into your key ring like this:
Lets say Ann Dexter sent me through email her public key file called AnnDexter.pub

mac:~ john$ gpg --import AnnDexter.pub

Listing the keys will yield

mac:~ john$ gpg --list-keys
/Users/john/.gnupg/pubring.gpg
--------------------------------
pub   2999R/CAJD4CD7 2010-03-04
uid                  John (Technologist) 
sub   2048R/ABBB7BDC 2010-03-04

pub 1024D/9B2A3DA2 2008-04-01 
uid Ann Dexter (Systems) 
sub 2048g/AB00C1A4 2008-04-01

5) We want to encrypt secret.txt using Ann’s Pubilc Key
And it is as simple as:

mac:~ john$ gpg --encrypt --sign --armor -r "Ann Dexter" secret.txt

This will generate a secret.txt.asc file which is the encrypted version of secret.txt AND Signed so the recipient can verify it came from you
This file can ONLY be decrypted with Ann Dexter PRIVATE KEY, you CAN’T decrypt it because you ONLY posses Ann Dexter’s Public Key but NOT her Private Key.

Now You can send the secret.txt.asc to Ann using any means you want, email, ftp, etc.

6) Ann Dexter got your encrypted file, how does she decrypt it?
Since she posseses the Private Key she can just do the following:

[ann@remoteSystem]$ gpg --decrypt -o secret.txt secret.txt.asc

And She will get the following the following output indicating that the Private key was used to Decrypt the file.

gpg: encrypted with 2048-bit ELG-E key, ID AB00C1A4, created 2008-04-01 “Ann Dexter (Systems) ”

Ann should now have the secret.txt file ready and decrypted