Will not trust chain of CA certs



16 years ago
16 years ago


(Reporter: Donal.OMahony, Assigned: nelson)


Firefox Tracking Flags

(Not tracked)





16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020826
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020826

We have a CA hierarchy consisting of
"Ezitrust Root CA" -> "Ezitrust In-Person CA" -> Individual Users

It seems to be impossible to have NSS incorporate both the Root and the
Intermediate Cert into the Authorities Store.  It will accept either one or the
other - trying to add the 2nd one yields a "Certificate Already Exists".

Is there a mechanism in Mozilla to incorporate a number of certificates into
the trusted store in a single step?

Reproducible: Always

Steps to Reproduce:
1.click on http://ezitrust.com/repository/rootcacert.cgi - trust the cert
2.click on http://ezitrust.com/repository/ipcacert.cgi - - get "cert already exists"
3. reversing the above steps on a clean cert database gives the same result

Expected Results:  
should have allowed both certs to be trusted and recognised that they form
a chain.  The certs work fine with the Microsoft CryptoAPI and the MS Certificate

Comment 1

16 years ago
Nelson, could you take a look at this?  Thanks.
Assignee: wtc → nelsonb
Component: Build → Libraries

Comment 2

16 years ago
This is a PSM question.  Adding Kai to cc list.  

The question is, by what means can a PSM user download both a root CA
and an intermediate CA cert and store them in his cert*.db file.

Note that the root CA should be trusted and the intermediate should not.

Comment 3

16 years ago
Actually, the workaround we are recommending is to trust only the Intermediate
cert.  This allows signing and verifying and interworks with MS Outlook.
This bug is invalid, your certificates are incorrect.

Both your certificates use the same Issuer and Serial number combination.
This is forbidden. Each certificate issued by your CA must have a different
serial number, or you will break crypto software.

I'm surprised that you were able to use the certs with other software.
Last Resolved: 16 years ago
Resolution: --- → INVALID

Comment 5

16 years ago
Thanks, Kai.
You need to log in before you can comment on or make changes to this bug.