Will not trust chain of CA certs

RESOLVED INVALID

Status

RESOLVED INVALID
16 years ago
16 years ago

People

(Reporter: Donal.OMahony, Assigned: nelson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020826
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020826


We have a CA hierarchy consisting of
"Ezitrust Root CA" -> "Ezitrust In-Person CA" -> Individual Users

It seems to be impossible to have NSS incorporate both the Root and the
Intermediate Cert into the Authorities Store.  It will accept either one or the
other - trying to add the 2nd one yields a "Certificate Already Exists".

Is there a mechanism in Mozilla to incorporate a number of certificates into
the trusted store in a single step?

Reproducible: Always

Steps to Reproduce:
1.click on http://ezitrust.com/repository/rootcacert.cgi - trust the cert
2.click on http://ezitrust.com/repository/ipcacert.cgi - - get "cert already exists"
3. reversing the above steps on a clean cert database gives the same result



Expected Results:  
should have allowed both certs to be trusted and recognised that they form
a chain.  The certs work fine with the Microsoft CryptoAPI and the MS Certificate
Store.

Comment 1

16 years ago
Nelson, could you take a look at this?  Thanks.
Assignee: wtc → nelsonb
Component: Build → Libraries
(Assignee)

Comment 2

16 years ago
This is a PSM question.  Adding Kai to cc list.  

The question is, by what means can a PSM user download both a root CA
and an intermediate CA cert and store them in his cert*.db file.

Note that the root CA should be trusted and the intermediate should not.
(Reporter)

Comment 3

16 years ago
Actually, the workaround we are recommending is to trust only the Intermediate
cert.  This allows signing and verifying and interworks with MS Outlook.
This bug is invalid, your certificates are incorrect.

Both your certificates use the same Issuer and Serial number combination.
This is forbidden. Each certificate issued by your CA must have a different
serial number, or you will break crypto software.

I'm surprised that you were able to use the certs with other software.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID
(Assignee)

Comment 5

16 years ago
Thanks, Kai.
You need to log in before you can comment on or make changes to this bug.