Problem with CA certificate and version 3 extensions...
Hi! I'm having some problems with using certificates in mozilla and now just wanted to post my problems here to see, what I'm doing wrong, or if mozilla's certificate management does not work correctly! 1. I attached my own CA root-certificate to this posting which I want to use for securing our companies' mailsystem. The problem is, that mozilla however does not recognize it as a CA certificate although it contains all netscape extensions I found. What is wrong about this certificate ? Why does mozilla not recognize it as a CA ? Shouldn't mozilla recognize it as a ca certificate and store it, if confirmed to do so, under the section with the trusted ca certificates in the certificate manager ? 2. There is no possibility to view the details of the ca certificate after storing a certificate signed by it! Eg: When I connect to a site with https which has a certificate signed with my ca certificate, mozilla says that the certificate was signed by a ca which mozilla does not know about. This is correct! Now I can click on view certificate and then under the details of the certificate I can also view the details of the ca certificate which gets delivered by the webserver! If I now check the checkbox to store the certificate permanently it gets stored under the section Web sites. There I can view the details of the certificate again but if I click on edit and in the appearing dialogbox on Edit CA trust mozilla says that the certificate for the ca was not found (because it was not stored with the certificate). So why wasn't the ca certificate stored ? Another thing which I do not understand is, why mozilla does not complain about an unkown ca when connecting again after storing the certificate although the ca was not stored ! So if I once marked a certificate as trusted, it does not matter if the ca is known or not ? 3. In the certificate manager, when viewing a pre-installed ca certificate there is the sentence This certificate has been verified for the following uses: with the verified uses! When viewing my ca certificate there just is nothing, only the sentence without any uses! Why ? 4. Mozilla does not recognize the version 3 extensions subjectAltName and issuerAltName ! This would be really a feature to implement because one could use a single certificate for more than one website! So please implement the version 3 extensions (correctly) ! And final: All my problems only occur with mozilla! MSIE and Outlook both know about the version 3 extensions and my ca certificate is recognized as such and the certificates have verified uses! In the MS world everything works as I expected it to, but mozilla cannot even handle my ca! What must I change with the certificates to get it working in mozilla ? Or is the certifiacte management broken ? Thanks for your time ! -BEGIN CERTIFICATE- MIIF4jCCBUugAwIBAgIBADANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJERTEd MBsGA1UECBMUTm9yZC1SaGVpbiBXZXN0ZmFsZW4xGjAYBgNVBAoTEVJFTlQtQS1N QUlMU0VSVkVSMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEaMBgGA1UEAxMRUkVOVC1B LU1BSUxTRVJWRVIwHhcNMDIwNDMwMDAwNTE2WhcNMjIwNDI1MDAwNTE2WjB6MQsw CQYDVQQGEwJERTEdMBsGA1UECBMUTm9yZC1SaGVpbiBXZXN0ZmFsZW4xGjAYBgNV BAoTEVJFTlQtQS1NQUlMU0VSVkVSMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEaMBgG A1UEAxMRUkVOVC1BLU1BSUxTRVJWRVIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMr0vHOH2aKxj/BfqxItYazkhI3ZQCynYHVdLpm2SXauMR0yLbzu8YeI4bm3 5kQ5EAe79+O1zADMO5W5SIpT7y5lSKditbcRWH0cne+x0KdtgJpqM84a98HS07Zs 3QWFfFGtblc5xkgKABXZgoHCgU1KHpWAEkHDqIlP3qeEft1ZAgMBAAGjggN2MIID cjAdBgNVHQ4EFgQUWqeCzy61UW5MS1kqZ8FSNTGzGBMwgaQGA1UdIwSBnDCBmYAU WqeCzy61UW5MS1kqZ8FSNTGzGBOhfqR8MHoxCzAJBgNVBAYTAkRFMR0wGwYDVQQI ExROb3JkLVJoZWluIFdlc3RmYWxlbjEaMBgGA1UEChMRUkVOVC1BLU1BSUxTRVJW RVIxFDASBgNVBAsTC1RydXN0Y2VudGVyMRowGAYDVQQDExFSRU5ULUEtTUFJTFNF UlZFUoIBADAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEE BAMCAQYwggE7BgNVHREEggEyMIIBLoIWKi5yZW50LWEtbWFpbHNlcnZlci5kZYIX Ki5yZW50LWEtbWFpbHNlcnZlci5jb22CFyoucmVudC1hLW1haWxzZXJ2ZXIubmV0 ghcqLnJlbnQtYS1tYWlsc2VydmVyLm9yZ4IYKi5yZW50LWEtbWFpbHNlcnZlci5p bmZvghcqLnJlbnQtYS1tYWlsc2VydmVyLmJpeoIUKi5yZW50YW1haWxzZXJ2ZXIu ZGWCFSoucmVudGFtYWlsc2VydmVyLmNvbYIVKi5yZW50YW1haWxzZXJ2ZXIubmV0 ghUqLnJlbnRhbWFpbHNlcnZlci5vcmeCFioucmVudGFtYWlsc2VydmVyLmluZm+C FSoucmVudGFtYWlsc2VydmVyLmJpeoIMKi5mcmVlLWl0LnR2MIIBOwYDVR0SBIIB MjCCAS6CFioucmVudC1hLW1haWxzZXJ2ZXIuZGWCFyoucmVudC1hLW1haWxzZXJ2 ZXIuY29tghcqLnJlbnQtYS1tYWlsc2VydmVyLm5ldIIXKi5yZW50LWEtbWFpbHNl cnZlci5vcmeCGCoucmVudC1hLW1haWxzZXJ2ZXIuaW5mb4IXKi5yZW50LWEtbWFp bHNlcnZlci5iaXqCFCoucmVudGFtYWlsc2VydmVyLmRlghUqLnJlbnRhbWFpbHNl cnZlci5jb22CFSoucmVudGFtYWlsc2VydmVyLm5ldIIVKi5yZW50YW1haWxzZXJ2 ZXIub3JnghYqLnJlbnRhbWFpbHNlcnZlci5pbmZvghUqLnJlbnRhbWFpbHNlcnZl ci5iaXqCDCouZnJlZS1pdC50djANBgkqhkiG9w0BAQQFAAOBgQCWnPdgXnd17Ufv KJ+7ipuwimMz/+SY6JzCikUnQofu0XvAlhaeYQ9Rr56NLRdnKDCzES1XOFMEAJ3O NYCkYB/YWsP24KQDF2wFsmLhdl86hu3Mq3sY4aQQ72wqB/5j9z/UnvdL3KBr2A8h 0iaeZHZTpa/CT3QALIn/U9jhj+S5yQ== -END CERTIFICATE-
Re: Verisign CA Certs missing from Mozilla 1.0 RC1?
Christian, Christian Schulte wrote: Robert Relyea wrote: My guess is the certificate in question is a secondary CA signed by a primary. The problem is that gtoc.iss.net is probably misconfigured. It should send the secondary certificate with it's server certificate. Their misconfiguration is masked on IE because IE throughs every CA cert it finds into it's permament certificate store. Daniel Kluge wrote: Hello there, I was just visiting https://gtoc.iss.net/, which gives me an 'Unknown Certificate Signer' or so error. This is a problem with the https://gtoc.iss.net SSL server configuration. We see a lot of these misconfigured servers these days. That server does not transmit the full certificate chain, from leaf cert (SSL server cert with a subject of gtoc.iss.net) to the root Verisign cert, and the intermediate verisign certificate. Unlike IE, Netscape Communicator and Mozilla do not save the intermediate certificates into the database, in order not to grow the database indefinitely every time you visit a new SSL web site. Only the root certificates are kept persistently (and actually they are now in a PKCS#11 module). The SSL protocol specifies that the server must present its entire certificate chain to the client, but this server is not doing so, and therefore Mozilla cannot verify it. This not a mozilla bug. The solution is for the system administrator to correct the server configuration. -- Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too. Linux-Kernel archive
Re: No way to import a private key function with new API?
Yes, it is quite confusing. Perhaps the future direction of Mozilla is to not support certificates. Or perhaps they are getting a lot of pressure from companies such as Verisign, which appears to be under a lot of pressure to increase profits, to only support private keys associated with certificates which has been purchased from them. Ken Patrick [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Hello, There seems to be no function for importing a private key function in the new public API. Why isn't a function like PK11_ImportDERPrivateKeyInfo not exported in the API? -- POC