at it > From: owner-openssl-us...@openssl.org On Behalf Of A A > Sent: Monday, 17 June, 2013 20:58
<re: Firefox, which I abbreviate FF not FX> > Unfortunately fx doesn't let me to export CA certificate. I can only > view server side certificate and export it. Also, marking the It works for me (in 20.1, I'm a little behind, but I doubt this changed). To be clear: AddException, View, Details, select top cert in Hierarchy which should be the root/CA cert but look to be sure, Export. > exception as permanent doesn't make fx remember this setting and I > need to accept the certificate warning every time I go to a new SSL But not the same site right? An exception is for a particular server cert *under* a CA. Look at Tools Options Encryption ViewCertificates under Servers (yes, Servers is not the most obvious place for this). Whereas if you trust a CA cert, then all certs it issues are accepted (until expired, or maybe revoked, I forget if FF is doing revocation). > site. I tried to import the certificate that fx shows after clicking > padlock icon in address bar and import it into a list of trusted CAs > but fx says that it's not a CA certificate. In fx I can only see that > this CA certificate is signed by the company itself, it contains its > name and address but I can't export it explicitly. And when I do Padlock MoreInfo takes you to Tools PageInfo Security, which initially shows you the server cert. I fthe server cert is issued by a CA, the server cert is indeed not a CA cert. Like the above, goto Details, select the top cert in Hierarchy, and Export that. > "openssl s_client -showcerts -connect HOSTNAME:443" it says "No client > certificate CA names sent". It seems to be harder than I thought. I > think that importing this CA certificate into a list of trusted CAs in > fx would make all warnings be gone. > "client certificate CA names" are for *client* authentication, which is rarely used, and apparently not here. What you want is the top/last cert in the *server* chain, which displays as a series of PEM blocks (base64 delimited by -----BEGIN and -----END lines) with 2-line labels before each giving the subject and issuer which should help figure out which is which. <snip prior> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
