[Discuss] DST Root CA X3 Expiry and CA bundles

[Rich Pieri]

Some CA bundles like the one distributed with Sylpheed for Windows
contains several expired CA certs including the now expired DST Root CA
X3 certificate. This can cause problems with Let's Encrypt certificates
even though the bundle has the ISRG Root X1 CA cert. In my particular
case, Sylpheed thinks my Let's Encrypt cert is expired even though
it clearly is not. Might be a Sylpheed bug.

Anyway, the solution is a little bit of surgery:

awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < certs.crt

This will break the bundle up into one PEM file per certificate.

for f in {1..127}; do echo "$f" >> certs.txt; openssl x509 -noout -text -in cert.${f}.pem >> certs.txt; done

This parses each PEM file as text, and dumps everything into a single
text file with the file number at the start of each cert for reference.
127 happens to be the number of PEM files the awk command created for
me. Scan through the text file looking for expired certificates, delete
the corresponding cert.X.pem file and then bundle them up again:

for f in {1..127}; do cat cert.${f}.pem >> newcerts.crt; done

Put the new bundle where it needs to be and you're done.

-- 
Rich Pieri