John Smith wrote: > Hi All, > > I am trying to run NSS SSL sample program with a > self signed test certificate. I modified the client program > to initialize using NSS_NoDB_Init instead of NSS_Init. > An error occurs on the client side when validating the > certificate. The call to CERT_VerifyCertNow fails with > error code -8156 (SEC_ERROR_CA_CERT_INVALID). > Any idea what is wrong ?
In order for a cert (chain) to be valid for use in SSL, the cert must either be issued by a trusted issuer (a trusted CA), or must itself be a trusted server cert. All trust information is stored in the cert db file, which your program isn't using since you called NSS_NoDB_Init. For it to work with a self-signed server cert, you'd need the cert in the cert DB, marked as a "trusted peer" for SSL. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
