[Discuss] DST Root CA X3 Expiry and CA bundles

[epp at sillydog.org (Edward)]

On 10/1/21 9:32 PM, Rich Pieri wrote:
> Some CA bundles like the one distributed with Sylpheed for Windows
> contains several expired CA certs including the now expired DST Root CA
> X3 certificate. This can cause problems with Let's Encrypt certificates
> even though the bundle has the ISRG Root X1 CA cert. In my particular
> case, Sylpheed thinks my Let's Encrypt cert is expired even though
> it clearly is not. Might be a Sylpheed bug.
>
> Anyway, the solution is a little bit of surgery:
>
> awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < certs.crt
>
> This will break the bundle up into one PEM file per certificate.
>
> for f in {1..127}; do echo "$f" >> certs.txt; openssl x509 -noout -text -in cert.${f}.pem >> certs.txt; done
>
> This parses each PEM file as text, and dumps everything into a single
> text file with the file number at the start of each cert for reference.
> 127 happens to be the number of PEM files the awk command created for
> me. Scan through the text file looking for expired certificates, delete
> the corresponding cert.X.pem file and then bundle them up again:
>
> for f in {1..127}; do cat cert.${f}.pem >> newcerts.crt; done
>
> Put the new bundle where it needs to be and you're done.

Sylpheed has not been updated in over three years.

Although at https://sylpheed.sraoss.jp/en/news.html, there is some 
information posted from 2020, regarding errors relating to certificates 
that were included with the Windows version.