Nelson B wrote: > > Ohaya wrote: > > > It turns out that what I thought was the CA's cert was actually a package of > > certs for the root CA and for several sub-root CAs. [...] :(. > > > > Also during the PSM import thing, it displays just the name of one of the > > sub-root CAs, and it appears that when I check the purposes checkboxes, it > > is setting the purposes for just that one sub-root CA cert (i.e., not for > > the root CA cert, and not for any of the other sub-root CA certs). > > PSM's specification for the import of certs is found at > http://wp.netscape.com/eng/security/comm4-cert-download.html > > Here is a relevant excerpt from that specification: > > > Several of the formats described above can contain several certificates. > > When the Netscape certificate decoder encounters one of these > > collections of multiple certificates they are handled in the following > > way: > > > > * The first certificate is processed in a context specific manner, > > depending upon how it is being imported. For the Communicator, this > > handling will depend upon the mime Content-Type that is used on the > > object being downloaded. For Netscape servers it will depend upon the > > options selected in the server administration interface. > > * Subsequent certificates are all treated the same. If the > > certificates contain the SSL-CA bit [...] and do not already exist in > > the local certificate database, they are added as untrusted CAs. In this > > way they may be used for certificate chain validation, as long as there > > is a trusted CA somewhere along the chain. > > So, my guess is that the certs in this file you downloaded are not in the > right order. >
Nelson, Thanks. This discussion has been very helpful for me. I've used openssl pkcx7 to see what's in the file, and the certs in the file are basically arranged something like: sub-root CA aaa sub-root CA bbb sub-root CA ccc . . sub-root CA xxx root CA I broke each of the certs out manually and it looks like all of the sub-root CA certs are off of the single root CA cert. Given what you mentioned above, it seems like all of the sub-root CA certs, and the root CA cert would get added as untrusted CAs, except for the first one (sub-root CA aaa). I'm not sure if this makes sense, to me, anyway. What I mean by this is why package ALL of the sub-root CA certs together like that (they don't all form a single chain), since apparently only the 1st one will carry the trusted purposes over once they're imported into PSM (and I checked, and they have only one of these files, i.e., they don't have different packages for different uses)? I wondering if, for some reason, they think that PSM will propagate the trust purposes set for the first sub-root CA cert to all the other sub-root CA certs in the file. I'm suppose to be meeting with some of the people from the CA tomorrow, so I hope that I get the chance to ask this :)!! I'll post back if I find anything out. Again, thanks for all of your help (and patience). Jim _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
