intermediate CA certificates incompatibility problems

RESOLVED INVALID

Status

NSS
Libraries
RESOLVED INVALID
7 years ago
7 years ago

People

(Reporter: Ramiro Muñoz Muñoz, Unassigned)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729)

We found a problems when two of our intermediate CA certificates ares loaded in the mozilla certificate store.

you can reproduce the error going to https://secure.camerfirma.com and later to https://http://sedeelectronica.ayto-nava.es. We also reproduce the error doing it in an opposite way.

the error found is:(Código de error: sec_error_reused_issuer_and_serial)




Reproducible: Always

Steps to Reproduce:
1.https://secure.camerfirma.com
2.https://http://sedeelectronica.ayto-nava.es
3.
Actual Results:  
Código de error: sec_error_reused_issuer_and_serial
(Reporter)

Updated

7 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
Group: core-security

Comment 1

7 years ago
Why did your CA issue certificates with the same serial?
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---

Comment 2

7 years ago
Please first respond to Eddy's question.

Then please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP and test with OCSP enforced in the Firefox browser and make sure it's working.
When I try to browse to https://secure.camerfirma.com, I get the error sec_error_ocsp_invalid_signing_cert
Note that I have enforced OCSP in my browser.

Updated

7 years ago
Blocks: 582575

Updated

7 years ago
Blocks: 562395
(Reporter)

Comment 3

7 years ago
ok, we have found the problem with teh serial and was corrected issing a new certificate with a corrected serial.

About OCSP responder, we have corrected the problem several times. We will work on it to fix the problem definitively.
Eddy, why did you reopen this bug?  There's no fault in any Mozilla product 
here, so the resolution of INVALID was appropriate.  

If you were calling into question the decision to approve camerafirma's 
request in bug 562395, wouldn't it make more sense to reopen that bug?
Assignee: nobody → nobody
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → libraries
Version: unspecified → 3.12.6
NSS correctly detected the presence of two certs with the same issuer and
serial number.
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → INVALID

Comment 6

7 years ago
Well, aren't you interesting in getting more information why a CA is reusing serial numbers?
(Reporter)

Comment 7

7 years ago
As I remark in Bug 562395.
 
It was just an error in the  certification proces.
We use to issue subca cartificates in a  manual ceremony and a wrong configuraron file was used.

This subCA do not issue enduser certificates anymore.
We will detect and replace valid end user certificates issued from this subCA.

Regards
(Reporter)

Comment 8

7 years ago
Hi

For avoiding this error we have centralized the sistem for issuing CA certificates in order to check easily all about the certificate content. We have inproved the protocol for issuing root CA and intermediate CA certificates. A new check form has been developed in order to avoid this kind of problems. 

Regards
Ramiro
You need to log in before you can comment on or make changes to this bug.