Closed
Bug 582531
Opened 14 years ago
Closed 14 years ago
intermediate CA certificates incompatibility problems
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ramirom, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729) We found a problems when two of our intermediate CA certificates ares loaded in the mozilla certificate store. you can reproduce the error going to https://secure.camerfirma.com and later to https://http://sedeelectronica.ayto-nava.es. We also reproduce the error doing it in an opposite way. the error found is:(Código de error: sec_error_reused_issuer_and_serial) Reproducible: Always Steps to Reproduce: 1.https://secure.camerfirma.com 2.https://http://sedeelectronica.ayto-nava.es 3. Actual Results: Código de error: sec_error_reused_issuer_and_serial
Reporter | ||
Updated•14 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Updated•14 years ago
|
Group: core-security
Comment 1•14 years ago
|
||
Why did your CA issue certificates with the same serial?
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Comment 2•14 years ago
|
||
Please first respond to Eddy's question. Then please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP and test with OCSP enforced in the Firefox browser and make sure it's working. When I try to browse to https://secure.camerfirma.com, I get the error sec_error_ocsp_invalid_signing_cert Note that I have enforced OCSP in my browser.
Reporter | ||
Comment 3•14 years ago
|
||
ok, we have found the problem with teh serial and was corrected issing a new certificate with a corrected serial. About OCSP responder, we have corrected the problem several times. We will work on it to fix the problem definitively.
Comment 4•14 years ago
|
||
Eddy, why did you reopen this bug? There's no fault in any Mozilla product here, so the resolution of INVALID was appropriate. If you were calling into question the decision to approve camerafirma's request in bug 562395, wouldn't it make more sense to reopen that bug?
Updated•14 years ago
|
Assignee: nobody → nobody
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → libraries
Version: unspecified → 3.12.6
Comment 5•14 years ago
|
||
NSS correctly detected the presence of two certs with the same issuer and serial number.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → INVALID
Comment 6•14 years ago
|
||
Well, aren't you interesting in getting more information why a CA is reusing serial numbers?
Reporter | ||
Comment 7•14 years ago
|
||
As I remark in Bug 562395. It was just an error in the certification proces. We use to issue subca cartificates in a manual ceremony and a wrong configuraron file was used. This subCA do not issue enduser certificates anymore. We will detect and replace valid end user certificates issued from this subCA. Regards
Reporter | ||
Comment 8•14 years ago
|
||
Hi For avoiding this error we have centralized the sistem for issuing CA certificates in order to check easily all about the certificate content. We have inproved the protocol for issuing root CA and intermediate CA certificates. A new check form has been developed in order to avoid this kind of problems. Regards Ramiro
You need to log in
before you can comment on or make changes to this bug.
Description
•