On 06/10/2013 04:32 PM, John Moyer wrote: > Do you mean doing this? If not let me know.
I'm afraid much of what has been done so far amounts to flailing about. The information needed to resolve the problem is contained in your cert. I'm pretty sure I asked for this information previously with detained instructions on how to retrieve it. We need to know the full contents of the cert, including it's extensions and the issuer. Then we need to know the contents of your NSS database. That should be enough to answer the question of why your CA cert is not validating as expected. Either dump the text form of your CA cert and send it along or send us the cert in PEM format and we'll open it up. I suggest you do that in a private email to either me or Rob as opposed to the list. I have tools that will help diagnose why NSS might fail to validate a cert. Also, many public CA will not issue, or will restrict signing CA certs because that opens them up to liability (they can't know what your CA will sign and if they sign your CA they are in effect vouching for any cert you issue). This is another reason it's important to see the contents of the cert, to determine what actions that cert is authorized to perform for and who is authorizing those actions, make sense? John _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users