在最新的 Debian 11 服务器上,我注意到过期的 DST Root CA X3 证书仍然存在:
$ grep DST /etc/ca-certificates.conf
mozilla/DST_Root_CA_X3.crt
该证书自上周起已过期:
$ openssl x509 -in /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt -text | grep "Not After"
Not After : Sep 30 14:01:15 2021 GMT
我知道我可以禁用它(在前面加上!+ /etc/ca-certificates.conf)update-ca-certificates,但我想知道为什么 Debian 会保留这些过期的证书? apt upgrade 不应该删除它吗?
我的ca-certificate版本和我的 apt 源如下(之后apt-get update/upgrade):
$ dpkg -l | grep ca-certificate
ii ca-certificates 20210119 all Common CA certificates
$ grep -v "^#" /etc/apt/sources.list
deb http://deb.debian.org/debian bullseye main
deb http://security.debian.org/debian-security bullseye-security main
deb http://deb.debian.org/debian bullseye-updates main