Nelson, Comments interspersed below...
Jim "Nelson B" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > After re-reading this thread, I noticed that in your original post, you > wrote: > > > when I import and check the "purposes" checkbox, the > > CA cert seems to get imported, but all the purposes end up bing > > unchecked. > > So, the cert IS being imported, and your own issue is with trust flags. > PSM 1.x had a trust flags editor. After the cert is imported, you > should be able to edit the flags as you wish. Yes, the cert is being imported into PSM. I can "view" it and "edit" it in PSM after importing it. And, yes, I know I can edit the flags in PSM. When the cert is imported into PSM, one of the windows displays the 3 checkboxes for trust purposes. The problem is that even if I check on one or more of the checkboxes, then click through to the Finish button to complete the import, when I go to look at the cert in PSM, those checkboxes that I had checked when I did the import are NOT checked, and our users find this out "the hard way" when they actually, say go to a secured website, and get an popup saying the website is not trusted, even with the root CA cert imported. The first time this happened to me, my first thought was "Huh?". My next thought was "Didn't I check those checkboxes?". Well, I went through the whole delete-the-cert and re-import-the-cert thing, being careful to check the checkboxes, and each time, the certs show up in PSM with the checkboxes unchecked. In a way, you're right. We can edit the trust purposes in PSM after-the-fact. But, that's not the way it's suppose to work, and I know from testing with other root CA certs that this problem doesn't occur with them. > Are you certain that the cert you're examining (with apparently wrong > trust flags) is exactly the cert you think it is, and not (say) a > very similar one that isn't quite identical? Yes, I'm pretty sure. The certs and the Subject name, etc. are quite distinctive :). > Is the cert you tried to import into IE identical to the one you > imported into PSM? This may be the first time someone reported that > a cert DID work with netscape and NOT with IE. :) I can't be quite sure that they are identical, because I downloaded the file(s) using the browser. It's possible that the website checks the incoming browser type and downloads a different file depending upon browser type. > Can you post the URL for downloading that cert? > If not, can you email me a copy of your cert7.db file (the one with > the cert in it with the wrong trust flags)? You'd have to demunge > my email address, but you can do that. You'll also have to tell me > which cert in the file is the one with the troubles. Sorry. I can't post the URL, but I will think about emailing you either a link or the file itself. Give me a couple of days to check on this. > BTW, my only interest here is to see if there'sa legitimate cert > that gives troubles to modern PSM/NSS software. There's no way that > any new PSM 1.x will be created or patched. NSS has some command > line tools that might be able to help you if the only problem is > with the trust flags. I understand, and I do appreciate that, and I feel somewhat bad in not being able to just provide the info that I know would make it easier to diagnose :(. I've tried to explain the situation we're in with NS and PSM (we're stuck with them). The "rest of the story" is that the CA is telling me that their root certs are "fine". As I mentioned above, I was kind of surprised when I ran into this problem, and in speaking with the CA folks, they say that they have never heard of anyone having a problem with their root certs. Lucky me, I guess. I'm "the first" :)! Seriously though, I doubt that, and I'm a little worried that this is going to cause a problem for our users, so my first motivation in this is just trying to avoid future problems. But, from a somewhat more relevant (to this newsgroup) standpoint, it kind of worries me when a CA thinks their root certs are ok, when they don't appear to be (to me). BTW, I'm kind of curious about something. I'm wondering if I tried to import these same certs into , say, NS 7.1, would I encounter the same problem? I'm going to have to find a clean machine to try it on, but if I can, I'll post back with what I find. That's about it. Jim _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
