On 11/12/2013 11:36 AM, Rob Crittenden wrote: > This is basically what I saw too. I'm waiting on someone from the NSS > team to get back to me. This must have something to do with the way that > OpenSSL validates certs vs NSS. Apparently NSS is being more picky but I > don't know why yet.
FWIW the current version of python-nss allows you to run NSS cert validation in logging mode, you'll get back a list of errors detailing everything NSS found at fault. Now having said that I'll also note the validation information NSS generates can sometimes be less than wonderful, but at least you'll be getting an insight into where NSS is finding fault. There is an example Python script doc/examples/verify_cert.py which you can run to validate a cert, you can turn on the validation logging with the --log command line arg. The example script also illustrates how to do cert validation logging. The script is contained in the python-nss-doc subpackage. You'll need to running python-nss >= 0.14. -- John _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users