# How to verify a certificate.



## Scarecrow2000 (Jun 28, 2015)

I use Claws Mail and I get repeated warnings that the gmail pop3 certificate has changed. During the past week i received three different certificates all claiming to be the pop.gmail.com certificate, each with a different fingerprint:

MD5: 77:2E:83:46:B7:FA:A7:8E:16:30:20:BC:32:4A:B7:5D
SHA1: 7E:FE:1A:5A:FD:15:1F:63:70:B9:81:9A:C9:EA:EF:EC:4A:42:59:46

MD5: 4B:8B:1C3:A8:4D:84:30:9D:C9:C7:47:61:C2:CF:86
SHA1: 7F:C7:46:5F:50:4E:2A:84:6B:E8:C6:4F:37:B6:34:52:34:B8:BF:77

MD5: C7:A6:CA:35:34:8A:EC:1E5:B4:91:88:C4:16:25:99
SHA1: 32:C89:C3:FA:34:A1:0C:7F:21:EB:6C:A1:7B:F3:75A:95:9E:93

Maybe gmail uses several certs but I decided to make sure. I got nowhere on the gmail questions forum so I looked in the Claws mail cert folder and found there is one of the gmail server certs and also a certificate chain which shows the root certificate is Geo Trust Global CA so I looked at the root certificates on the GeoTrust site. The fingerprints on the GeoTrust Global CA root certificate on that site do not match the fingerprints on the certificate chain I have.
Can anyone tell me is there something wrong here or not ?
I tried to upload the cert chain in its original format but that would not work so I attached it as a text file


----------



## joeten (Dec 4, 2008)

Hi and welcome to TSF, it might have something to do with this https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm


----------



## Scarecrow2000 (Jun 28, 2015)

joeten said:


> Hi and welcome to TSF, it might have something to do with this https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm


I don't think so, that site talks about gmail enforcing CA certs over self signed certs back in 2012. Did you look at the certificate chain I posted and compare the certs to the ones on the GeoTrust site ? Why are they not the same ?


----------



## MitchConner (May 8, 2015)

Nothing on your attachment mate.

The cert fingerprint isn't anything to get worried about and you won't get trust issues because of it.

If you can reattach your certs we'll take a look at what's going on.


----------



## Scarecrow2000 (Jun 28, 2015)

MitchConner said:


> Nothing on your attachment mate.
> 
> The cert fingerprint isn't anything to get worried about and you won't get trust issues because of it.
> 
> If you can reattach your certs we'll take a look at what's going on.


OK it is in PEM format I named it to .txt so it would upload. Rename it to filename.pem and it should open in a cert viewer.


----------



## MitchConner (May 8, 2015)

There is nothing wrong with your certificate mate. If your browser is reporting trust issues, check you have the correct time set on your pc.


----------



## Scarecrow2000 (Jun 28, 2015)

MitchConner said:


> There is nothing wrong with your certificate mate. If your browser is reporting trust issues, check you have the correct time set on your pc.


So why does the GeoTrust Global CA root cert on the chain have a different fingerprint to the GeoTrust Global CA root cert on the GeoTrust root cert web page ?


----------



## MitchConner (May 8, 2015)

The cert you attached isn't chained. The cert you have is claiming to be for pop.gmail.com and it has been signed by google, not geotrust. The cert is trusted.


----------



## Scarecrow2000 (Jun 28, 2015)

The file I uploaded is a chain of three certificates. Did you remove the .txt file extension ?
The chain is;
pop.gmail.com
Google internet authority G2
GeoTrust Global CA


----------



## MitchConner (May 8, 2015)

Yes. But you don't verify a chain that way mate.

There is nothing wrong with the certificate, it is trusted. As long as you have any intermediates (or can get them), you don't have a problem.


----------



## Scarecrow2000 (Jun 28, 2015)

I know how you verify a chain. My point is how do you verify the root certificate ?
OK to put it another way.
I could make myself a root certificate I could call it whatever I want to call it so I call my root certificate GeoTrust Global CA. I then use that certificate to sign a certificate I call Google Internet authority I then use that certificate to sign another one called pop.gmail.com
That chain would check out because each cert is signed by the one above it so the entire chain is trusted only because the root cert is trusted.
How do you know whether the root cert was created by me or created by GeoTrust when the root cert on the GeoTrust site does not match it regardless ?


----------



## joeten (Dec 4, 2008)

MS and others all have some method https://www.google.co.uk/search?q=h...&oe=utf-8&gws_rd=cr&ei=WyOYVYOxEszw-QHSi6z4Bg


----------



## MitchConner (May 8, 2015)

You can create your own cert and call it whatever you want. That's called a self signed cert. You can't call it geotrust etc as that isn't a valid identity for the certificate, but even if you did, it would still be untrusted as it wouldn't be signed by a certificate authority.


----------

