Nelson, thank you for your fast response to this! my responses are inline:
>On Aug 6, 10:45 am, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > Gordon.Young wrote, On 2008-08-05 19:45: > > > I need help finding a document(s) to help me understand cross > > certification and path building/chaining in the NSS world. > > The document you want probably doesn't exist. :-( > > > we are doing signing something like this: > > > *Private root*>subordinate issuing CA>EE cert > > > the private root is X-certified with the well distributed, publicly > > trusted GTE Cybertrust Global Root. during SSL Handshake we are > > sending: > > > X-certificate(signed by GTE)>issuing CA>EE Cert > > That should work fine, assuming that the chain passes all the tests > that RFC 3280 would apply to it. > Understood. We apsire to be a 3280 compliant CA and work hard to not use features that do not comply. the interesting thing is that even though the entire chain is passed during SSL handshake, Firefox does not find the issuer of the "EE issuing CA's" certificate. on this test server we are sending EE Cert>Issuing CA>Cross certificate>GTE Root. It looks like there is an issue associating the issuing CA's certificate with it's cross certificate signed by GTE. This is where I get stuck, I'm not sure what tools to use to prove this scenario. any suggestions how to programmaticall debug in addition to verifyingh 3280 compliance? > > sending the cross certificate seems to satisfy crypto API's like MS > > CAPI, Sun Java, Openssl, etc. I can't seem to find the right content > > for the root/cross certificate to satisfy NSS, to "Cross over" from > > the chain supplied during handshake, and walk up to the pre-loaded GTE > > root. > > What specific error codes do you experience when you try that chain > with NSS? > Firefox 3.0.1 reports: sec_error_unknown_issuer > Do you have a publicly accessible server that exhibits this? I do not, we have a intranet only site at this point. I can supply an output from OpenSSL. Is there a think of a more appropriate test tool with NSS? I'm not sure I understand tstclnt or vfychain from the nss unsupported tool set. Thanks again! ~Gordon _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto