Nelson B wrote:
(BTW, you've apparently figured out how to use the root certs module.
Congratulations on that.)
Thanks for all the info in your reply but I think I just found the
problem and apparently I haven't completely figured out how to build the
root certs module.
After looking at my Firefox profile which has some of the same certs in
it and the ones there are chaining properly and showing the correct
usage in the certificate manager, I think I may have found the problem.
In my root module all of the intermediate CAs have trust of "p,p,p"
which is "valid peer" and the Root CAs have "C,C,p". In Firefox's
certdb the intermediates have "c,c,c" and the Root CAs have "CT,C,c". I
have a script I put together to totally regenerate the libnssckbi and
when I run the addbuiltin command I pass in the following for Root CAs
and intermediate CAs and then the user certs respectively:
Roots:
addbuiltin -n "foo" -t "CT,C,c" < foo.der >> certdata.txt
Intermediate CAs:
addbuiltin -n "foo" -t "c,c,c" < foo.der >> certdata.txt
User certs:
addbuiltin -n "foo" -t ",," < foo.der >> certdata.txt
I use certutil -L -d dbdir -h all to show all of certificates in the db
as well as the roots module and I have "p,p,p" for all the user certs as
well as the intermediate CAs and "C,C,p" for the Root CAs. Does anyone
know why addbuiltin is appearing to ignore any trust flag except "C"?
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
