On Monday, March 5, 2018, Walter Dnes <waltd...@waltdnes.org> wrote: > app-misc/ca-certificates splatters a bunch of files all over the > place. Question... is there a utility to figure out which domains any > particular certificate covers >
A ca certificate may sign any domain cert, and new domains can be signed at any time. So any certificate is only as trusted as the least trustworthy ca in your certificate store.... some people call this a dumpster fire. Certificate transparency (logs of who issued what) helps reduce the risk of a dodgy ca issuing a certificate they shouldn’t have without being noticed. You can go the other way, and see which ca was used to sign any cert that a server presents, as that info is included in the cert presented by the server.
