User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020826 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020826 We have a CA hierarchy consisting of "Ezitrust Root CA" -> "Ezitrust In-Person CA" -> Individual Users It seems to be impossible to have NSS incorporate both the Root and the Intermediate Cert into the Authorities Store. It will accept either one or the other - trying to add the 2nd one yields a "Certificate Already Exists". Is there a mechanism in Mozilla to incorporate a number of certificates into the trusted store in a single step? Reproducible: Always Steps to Reproduce: 1.click on http://ezitrust.com/repository/rootcacert.cgi - trust the cert 2.click on http://ezitrust.com/repository/ipcacert.cgi - - get "cert already exists" 3. reversing the above steps on a clean cert database gives the same result Expected Results: should have allowed both certs to be trusted and recognised that they form a chain. The certs work fine with the Microsoft CryptoAPI and the MS Certificate Store.
Nelson, could you take a look at this? Thanks.
Assignee: wtc → nelsonb
Component: Build → Libraries
This is a PSM question. Adding Kai to cc list. The question is, by what means can a PSM user download both a root CA and an intermediate CA cert and store them in his cert*.db file. Note that the root CA should be trusted and the intermediate should not.
Actually, the workaround we are recommending is to trust only the Intermediate cert. This allows signing and verifying and interworks with MS Outlook.
This bug is invalid, your certificates are incorrect. Both your certificates use the same Issuer and Serial number combination. This is forbidden. Each certificate issued by your CA must have a different serial number, or you will break crypto software. I'm surprised that you were able to use the certs with other software.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.