Closed Bug 582531 Opened 14 years ago Closed 14 years ago

intermediate CA certificates incompatibility problems

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.6
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: ramirom, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729)

We found a problems when two of our intermediate CA certificates ares loaded in the mozilla certificate store.

you can reproduce the error going to https://secure.camerfirma.com and later to https://http://sedeelectronica.ayto-nava.es. We also reproduce the error doing it in an opposite way.

the error found is:(Código de error: sec_error_reused_issuer_and_serial)




Reproducible: Always

Steps to Reproduce:
1.https://secure.camerfirma.com
2.https://http://sedeelectronica.ayto-nava.es
3.
Actual Results:  
Código de error: sec_error_reused_issuer_and_serial
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Group: core-security
Why did your CA issue certificates with the same serial?
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Please first respond to Eddy's question.

Then please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP and test with OCSP enforced in the Firefox browser and make sure it's working.
When I try to browse to https://secure.camerfirma.com, I get the error sec_error_ocsp_invalid_signing_cert
Note that I have enforced OCSP in my browser.
Blocks: 582575
Blocks: 562395
ok, we have found the problem with teh serial and was corrected issing a new certificate with a corrected serial.

About OCSP responder, we have corrected the problem several times. We will work on it to fix the problem definitively.
Eddy, why did you reopen this bug?  There's no fault in any Mozilla product 
here, so the resolution of INVALID was appropriate.  

If you were calling into question the decision to approve camerafirma's 
request in bug 562395, wouldn't it make more sense to reopen that bug?
Assignee: nobody → nobody
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → libraries
Version: unspecified → 3.12.6
NSS correctly detected the presence of two certs with the same issuer and
serial number.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → INVALID
Well, aren't you interesting in getting more information why a CA is reusing serial numbers?
As I remark in Bug 562395.
 
It was just an error in the  certification proces.
We use to issue subca cartificates in a  manual ceremony and a wrong configuraron file was used.

This subCA do not issue enduser certificates anymore.
We will detect and replace valid end user certificates issued from this subCA.

Regards
Hi

For avoiding this error we have centralized the sistem for issuing CA certificates in order to check easily all about the certificate content. We have inproved the protocol for issuing root CA and intermediate CA certificates. A new check form has been developed in order to avoid this kind of problems. 

Regards
Ramiro
You need to log in before you can comment on or make changes to this bug.