On Thu, Nov 10, 2016 at 5:46 PM, <[email protected]> wrote: > I was able to learn more about this issue. The intermediate certificate was > not chaining to the root certificate using security.enterprise_roots.enabled > or in the manual certificate import. > > Despite the intermediate being in > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates and > the root ca being in > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates , > it was not until I manually exported the CA\Certificates, changed its reg > path to ROOT\Certificates and reimported that the feature worked. Similarly, > the manual certificate import in firefox did not need the CA imported, only > the intermediate. > > Does this mean that our intermediate isnt signed properly (according to nss) > by the CA or firefox is having issues connecting chains? > > Windows happily puts the intermediate into the intermediate store and the ca > into the root store and the other browsers respect the chain. Unfortunately, > the site and keys are private so I cant share them.
As far as I understand, it's best that the server always sends the entire cert chain to the client (e.g. by configuring the SSLCertificateChainFile directive if you have an Apache httpd server), so the client can verify the entire chain just by having / trusting the root CA certificate. So maybe adding the chain to your server might make it work in your case. However, if this works correctly in Chrome and IE (without the server sending the chain, just by having the intermediates in the Windows truststore aka Registry), maybe you're seeing another issue / enhancement request for the FF certificate support. It should be possible for FF to trust the intermediates as well, on top of trusting just the root CA's ... -- Johan _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
