Bug 210356

Summary: No obvious way to add trusted certificates/CAs for SSL or TLS
Product: [Frameworks and Libraries] kio Reporter: Guido Winkelmann <guido-kdebugs>
Component: ksslAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: adawit, alther, bekesa, bugsnmd, kdebugs.boog, m.debruijne, quazgar, rasasi78, registrace
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: greyed-out-import-button

Description Guido Winkelmann 2009-10-12 19:26:29 UTC
Version:            (using KDE 4.3.2)
Compiler:          gcc 4.3.2 
OS:                Linux
Installed from:    Gentoo Packages

I cannot find any way to import new SSL-/TLS- CA certificates into KDE, so that they are trusted as issuers for SSL/TLS connections.

I'm using several SSL enabled imap, pop3, smtp, http and xmpp servers that use certificates issued by CACert. To be able to use these servers securely, it's obviously necessary to import the root certificates of CACert into the client applications I intend to use. Unfortunately, I couldn't find any way to import any SSL certificates anywhere in KDE after clicking around in both Konqueror's and Kmail's configuration dialogs for some time and in the system settings after that.

In fact, I can't find sort of SSL configuration anywhere in KDE at all.

Clicking on the certificate files in Konqueror's file view will import them into Kleopatra - which isn't very helpful, I want to use these certs for validating SSL-connections, not for validating S/MIME signed emails.
Comment 1 Andras Georgy Bekes 2010-04-17 14:26:10 UTC
This bug is 6 months old and still unconfirmed. The requested functionality is obviously missing, I've searched the net for hours and did not find the way to import SSL CA certs.

I guess the problem is masked by the presence of the 'Kleopatra' tool that does manage certificates, but it is not obvious that the certificates it manages has nothing to do with the ones used for SSL/TLS.

This missing feature is a serious problem. Please confirm the bug, and somebody please mention a workaround as well.
Comment 2 Tom Helner 2010-06-23 22:54:59 UTC
Here the workaround solution that I have used (Kubuntu 10.04).

In my case, my new SSL cert for uses a chained certificate, and was loading with an authenticity check warning because "Entrust.net Certification Authority (2048)" was not included in KDE's ca-bundle.crt. And to add insult to injury KDE no longer has a GUI to import CA Certificates.

Simply appending the Entrust.net_Premium_2048_Secure_Server_CA.crt (already installed from the Ubuntu package "ca-certificates") to KDE's ca-bundle.crt then restarting KDE fixed this issue for both konqueror and kmail.

# cp -p /usr/share/kde4/apps/kssl/ca-bundle.crt /usr/share/kde4/apps/kssl/ca-bundle.crt.orig
# cat /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt >> /usr/share/kde4/apps/kssl/ca-bundle.crt
Restart KDE
Comment 3 Raúl 2012-02-07 21:09:59 UTC
Hello. I can confirm this bug for KDE 4.7.4
Comment 4 NMD 2013-06-23 11:36:31 UTC
I can confirm this for KDE 4.9.5 (Linux Mint 14 KDE).

To give a few more details on this as I am experiencing it...

There IS a certificate management module in system settings (try searching them or krunner for ssl preferences). However when I go into this it a) fails to recognise where I have certificates (the open with dialogue has a filter for der/pem/something else certs which fails to seee them), b) when I work round this (view all, add certificates anyway) it returns to the main frame but doesn't seem to have imported the certificates.

There is another way of doing this which also doesn't seem to work (will attach screenshot in a sec)- download certificate, double click to open and IMPORT BUTTON IS GREYED OUT with no explanation.

This bug has now been around for a while with no effort on it and is down as assigned to 'unassigned bugs mailing list', does anyone want to get onto the kde irc with an attempt to sort this out?
Comment 5 NMD 2013-06-23 11:37:29 UTC
Created attachment 80731 [details]
greyed-out-import-button
Comment 6 Rick Alther 2014-04-11 19:50:25 UTC
I know this is old, but this is still an issue with KDE 4.12.3 (Fedora 20).
* I go into the SSL Preferences of the System Settings
* Click Add...
* Select a .der CA certificate.  The dialog goes away and the certificate is not listed in the SSL Signers.

It just silently fails.  Being able to add trusted CA certs is important, particularly in enterprises.
Comment 7 Dawit Alemayehu 2014-11-04 13:35:40 UTC
(In reply to Rick Alther from comment #6)
> I know this is old, but this is still an issue with KDE 4.12.3 (Fedora 20).
> * I go into the SSL Preferences of the System Settings
> * Click Add...
> * Select a .der CA certificate.  The dialog goes away and the certificate is
> not listed in the SSL Signers.
> 
> It just silently fails.  Being able to add trusted CA certs is important,
> particularly in enterprises.

This one I can reproduce, but only for certs in .der format. I have a fix for it. 

All the other reports including the original one should no longer be an issue because there is SSL preferences dialog that allow you to add new certs.
Comment 8 NMD 2014-11-16 17:16:37 UTC
Hi Dawit,
There has been a preferences dialog that allows you to add new certs for quite some time, but as other bug reporters have noted, it silently failed. Which version do you think this has been fixed in?
To quote Rick Alter:
"* I go into the SSL Preferences of the System Settings
* Click Add...
* Select a .der CA certificate.  The dialog goes away and the certificate is not listed in the SSL Signers."

Have you tried this? does it work for you?

It's a shame that the status of this bug is still listed as unconfirmed, given that it has quite a few registerd votes and subscribed members, and must be fairly important for some users.
Comment 9 Dawit Alemayehu 2014-11-17 06:07:12 UTC
(In reply to Nick from comment #8)
> Hi Dawit,
> There has been a preferences dialog that allows you to add new certs for
> quite some time, but as other bug reporters have noted, it silently failed.
> Which version do you think this has been fixed in?
> To quote Rick Alter:
> "* I go into the SSL Preferences of the System Settings
> * Click Add...
> * Select a .der CA certificate.  The dialog goes away and the certificate is
> not listed in the SSL Signers."
> 
> Have you tried this? does it work for you?

Like I have already stated in comment #7, not being able to import a cert in DER format is the only issue I can reproduce. And have already fixed. See bug #333079.

> It's a shame that the status of this bug is still listed as unconfirmed,
> given that it has quite a few registerd votes and subscribed members, and
> must be fairly important for some users.

That is because the original issue being reported does not really apply today. For the rest, someone else opened another bug ; so I will mark this one as a duplicate of that one.

*** This bug has been marked as a duplicate of bug 333079 ***
Comment 10 NMD 2014-12-07 17:01:34 UTC
Great, thanks Dawit, yes just got a chance to test that here (Kubuntu 14.10) and that is the case here as well - brilliant!