Petar,
Petar Popara wrote:
I'm uploading revoked cert, its issuer and issuer's crl that I use for
testing if you would like to take a look. Password for .pfx files is 'p'.
Everything is fine with your cert and CRLs, and NSS is checking the
revocation status just fine.
I unzipped your cets in the "petar subdirectory" and ran the following
commands :
1) certutil -d petar -N
This creates a new cert and key DB .
2) certutil -d petar -A -n CA -i petar/DEMO-SICA.cer -t C,C,C
This installs your CA cert.
3) pk12util -d petar -i "petar/Demo User (DEMO-SICA).pfx"
This installs the valid cert.
4) pk12util -d petar -i "petar/Demo User Revoked (DEMO-SICA).pfx"
This installs the revoked cert .
5) crlutil -d petar -I -i petar/DEMO-SICA.crl
This installs the CRL .
6) certutil -d petar -n
1118bd833019ce94b626d680206a5cdb_61c37a0b-e01f-465e-ba3b-327aa038b07d -V
-u S
This checks your revoked cert. The output is :
certutil: certificate is invalid: Peer's Certificate has been revoked.
7) certutil -d petar -n
b46e4f9bce15057680c1187eb4e11b19_61c37a0b-e01f-465e-ba3b-327aa038b07d -V
-u S
This checks your valid cert. The output is :
certutil: certificate is valid
This proves that NSS is doing what it should (except the nicknames
generated for your certs are really ugly - I don't know why that is).
If the first cert isn't showing as revoked in Firefox or Mozilla, that
is probably due to the trust having been set incorrectly by that
product. I didn't check with them. If the problem still persists, you
should file a bug against PSM (security UI component of mozilla) . You
should also know that nobody is working on that component, so it will
probably not be fixed :-( .
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
