On 06/10/2013 04:32 PM, John Moyer wrote:
> Do you mean doing this? If not let me know.
I'm afraid much of what has been done so far amounts to flailing about.
The information needed to resolve the problem is contained in your cert.
I'm pretty sure I asked for this information previously with detained
instructions on how to retrieve it.
We need to know the full contents of the cert, including it's extensions
and the issuer. Then we need to know the contents of your NSS database.
That should be enough to answer the question of why your CA cert is not
validating as expected.
Either dump the text form of your CA cert and send it along or send us
the cert in PEM format and we'll open it up. I suggest you do that in a
private email to either me or Rob as opposed to the list. I have tools
that will help diagnose why NSS might fail to validate a cert.
Also, many public CA will not issue, or will restrict signing CA certs
because that opens them up to liability (they can't know what your CA
will sign and if they sign your CA they are in effect vouching for any
cert you issue). This is another reason it's important to see the
contents of the cert, to determine what actions that cert is authorized
to perform for and who is authorizing those actions, make sense?
Freeipa-users mailing list