Le jeudi 07 avril 2011 à 11:21 +0200, Ludovic Rousseau a écrit : > > The problem is not if the CA (certification authority) is online or > not. The "problem" is that the CA root certificate must be on the > local file system. > pam_pkcs11 do not reuse CAs root certificates from Firefox or from > anywhere else. Maybe that could be an evolution. > > > I also note that the CAcert root CA is using PEM format and my root CA > is in DER. > Convert class3.crt from PEM to DER and try again.
I copied http://www.cacert.org/certs/root.der http://www.cacert.org/certs/class3.der To /etc/pam_pkcs11/cacerts And created hash links. Still does not work: DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks ERROR:pam_pkcs11.c:519: verify_certificate() failed: certificate is invalid: unable to get local issuer certificate DEBUG:pam_pkcs11.c:508: verifing the certificate #2 DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks ERROR:pam_pkcs11.c:519: verify_certificate() failed: certificate is invalid: unable to get local issuer certificate DEBUG:pam_pkcs11.c:508: verifing the certificate #3 DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks ERROR:pam_pkcs11.c:519: verify_certificate() failed: certificate is invalid: unable to get local issuer certificate ERROR:pam_pkcs11.c:574: no valid certificate which meets all requirements found Can you reproduce? Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
