Last Comment Bug 100386 - cert chain containing root cert overwrites trust
: cert chain containing root cert overwrites trust
Product: Core Graveyard
Classification: Graveyard
Component: Security: UI (show other bugs)
: 1.0 Branch
: x86 Windows 2000
P1 normal (vote)
: psm2.2
Assigned To: Kai Engert (:kaie)
: John Unruh
Depends on:
  Show dependency treegraph
Reported: 2001-09-18 14:29 PDT by Christina Fu
Modified: 2016-09-27 13:03 PDT (History)
3 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Description User image Christina Fu 2001-09-18 14:29:40 PDT
N6 2001091703

I imported cert chain from and found the
existing root cert overwritten.  Here is how to verify:

0. create and start a new profile
1. [Manage Certificates] [Authorities] and note the GTE CyberTrust Root's serial
number and the fact that it's in Builtin Object Token.
2. go to 
3. it tells you to import ca cert chain because of the N6 detection, import ca
and click the "email" one as instructed.
4. [Manage Certificates] [Authorities] and look for GTE CyberTrust Root again,
and you'll see that it now does not appear in Builtin Object Token, but rather
in Software Security Device (that's fine).

I expected to see that the "Intranet Certificate Authority" to be trusted, but
it's not.  Upon examination of the GTE CyberTrust Root, I noticed that it's no
longer trusted for most everything except for status. Users will have to
manually  click trust this cert again.

Before this is fixed, might want to consider a ca cert
chain without the root cert (which presumably is already in most browsers, we
hope?), or, advice users on how to trust the root cert, again.
Comment 1 User image Stephane Saux 2001-09-18 18:23:55 PDT
Talked to Relyea about this.  There could be something in the way is configured that could cause the cert to be
replaced. Baring this we should detect that we have the root cert already and
not cause it to be replaced. This may have been introduced by the fix to bug 91407
Comment 2 User image Stephane Saux 2001-10-15 15:55:54 PDT
Comment 3 User image Stephane Saux 2001-11-05 19:13:00 PST
Comment 4 User image Kai Engert (:kaie) 2002-02-12 16:16:04 PST
I suggest to retest this now. I wanted to do it, but my understanding is, in
order to test this bug, I need to download the ca cert from that site.

When I use NS 6.21 or todays Mozilla build on that site, I don't see a link to
download it.

Does somebody know that link? Or can we assume the bug is now invalid?
Comment 5 User image bill 2002-02-12 16:25:14 PST
I removed the auto detection script because of all the complaining :)

You can get the CA cert chain manually by going to (this can also be reached by
going to "get the server cert" and clicking on "get the AOL Intranet trusted
root cert")
Comment 6 User image Kai Engert (:kaie) 2002-02-12 16:54:12 PST
Ok, looks this bug is indeed fixed.

When I import the cert, I get the message "certificate already exists". After
that step, the certs are listed as being contained in the Software Security
Device. However, now they are still trusted.

Marking worksforme. Christina, please reopen the bug if you still see problems.
Comment 7 User image John Unruh 2002-02-13 08:04:31 PST
Verified fixed.

Note You need to log in before you can comment on or make changes to this bug.