It turns out that what I thought was the CA's cert was actually a package of certs for the root CA and for several sub-root CAs. [...] :(.
Also during the PSM import thing, it displays just the name of one of the sub-root CAs, and it appears that when I check the purposes checkboxes, it is setting the purposes for just that one sub-root CA cert (i.e., not for the root CA cert, and not for any of the other sub-root CA certs).
PSM's specification for the import of certs is found at http://wp.netscape.com/eng/security/comm4-cert-download.html
Here is a relevant excerpt from that specification:
Several of the formats described above can contain several certificates. When the Netscape certificate decoder encounters one of these collections of multiple certificates they are handled in the following way:
* The first certificate is processed in a context specific manner, depending upon how it is being imported. For the Communicator, this handling will depend upon the mime Content-Type that is used on the object being downloaded. For Netscape servers it will depend upon the options selected in the server administration interface.
* Subsequent certificates are all treated the same. If the certificates contain the SSL-CA bit [...] and do not already exist in the local certificate database, they are added as untrusted CAs. In this way they may be used for certificate chain validation, as long as there is a trusted CA somewhere along the chain.
So, my guess is that the certs in this file you downloaded are not in the right order.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
