> From: owner-openssl-us...@openssl.org On Behalf Of Walter H. > Sent: Friday, October 04, 2013 15:30
> there exists a self signed root CA certificate (A) > one intermediate CA certificate (B) > and this intermedia certificate has signed a SSL certificate (C) of a > web server; > [and C and B have correct AIA] > in case the certificate database of the browser has only the root CA > certificate and I surf to this webserver > which itself sends the whole certificate chain; why does this work > without errors only in IE, and not in FireFox? > If the server sends the full chain, AIA shouldn't matter. AIA should only be used to fill in an incomplete chain. > if the root CA certificate is a built-in token; then this works in > Firefox, too; > When it's not 'built-in token' in Firefox is it still in 'Authorities' tab and NOT 'Servers' tab? Roots in Authorities are normally trusted as CAs (although I think it's possible to change them) but roots in Servers are not by default. And if you added this cert yourself (not in the distro) I've sometimes had trouble getting Firefox to put an imported cert in the correct tab, but I don't recall details now. But if the cert chain as sent is valid -- and openssl s_client can determine that -- you're probably better off in a Firefox forum than here. Firefox uses its own (well, Mozilla's own) NSS, not OpenSSL, so people here won't have much clue how it works. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
