Hello everybody, I have a problem with certificate chains (I have been exploring through the mailing list archives and i haven't seen it) sorry if it is a repeated topic.
I have a PKI with 3 levels:
1. A root self-signed certificate at the first level 2. Sub certification authorities certified by the first one at second level 3. User certificates certified by second level authorities at third level.
I want that a pair of users using netscape / mozilla can interchange signed messages, so every user imports the root self-signed certificate into the navigator. The problem is: I want that an user certified by a concrete sub-authority (SubCA_1) must be able to authenticate an user cerified by another sub-authority (SubCA_2).
To implement this scheme I create the PKCS12 files for users adding two certificate bags (the first one is the certificate corresponding to the sub-authority certificate and the last one the user certificate).
I do this hoping that when the mail program will generate the SMIME, it will include the chain and the receiver will verify the chain using the root certificate.
The problem is that importing the user's PKCS12 to netscape / mozilla does not recognize the first certificate of the chain as the sub-authority so the program says that the user certificate issuer is unknown and nothing works.
Anyone has played with an scheme like this ? someone can suggest me where can be the problem or even tell me if it is possibe or not ?
Thank you very much.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto