User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:22.214.171.124) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:126.96.36.199) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729) We found a problems when two of our intermediate CA certificates ares loaded in the mozilla certificate store. you can reproduce the error going to https://secure.camerfirma.com and later to https://http://sedeelectronica.ayto-nava.es. We also reproduce the error doing it in an opposite way. the error found is:(Código de error: sec_error_reused_issuer_and_serial) Reproducible: Always Steps to Reproduce: 1.https://secure.camerfirma.com 2.https://http://sedeelectronica.ayto-nava.es 3. Actual Results: Código de error: sec_error_reused_issuer_and_serial
Why did your CA issue certificates with the same serial?
Please first respond to Eddy's question. Then please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP and test with OCSP enforced in the Firefox browser and make sure it's working. When I try to browse to https://secure.camerfirma.com, I get the error sec_error_ocsp_invalid_signing_cert Note that I have enforced OCSP in my browser.
ok, we have found the problem with teh serial and was corrected issing a new certificate with a corrected serial. About OCSP responder, we have corrected the problem several times. We will work on it to fix the problem definitively.
Eddy, why did you reopen this bug? There's no fault in any Mozilla product here, so the resolution of INVALID was appropriate. If you were calling into question the decision to approve camerafirma's request in bug 562395, wouldn't it make more sense to reopen that bug?
NSS correctly detected the presence of two certs with the same issuer and serial number.
Well, aren't you interesting in getting more information why a CA is reusing serial numbers?
As I remark in Bug 562395. It was just an error in the certification proces. We use to issue subca cartificates in a manual ceremony and a wrong configuraron file was used. This subCA do not issue enduser certificates anymore. We will detect and replace valid end user certificates issued from this subCA. Regards
Hi For avoiding this error we have centralized the sistem for issuing CA certificates in order to check easily all about the certificate content. We have inproved the protocol for issuing root CA and intermediate CA certificates. A new check form has been developed in order to avoid this kind of problems. Regards Ramiro