Gordon.Young wrote, On 2008-08-07 10:07: > the interesting thing is that even though the entire chain is passed > during SSL handshake, Firefox does not find the issuer of the "EE > issuing CA's" certificate. on this test server we are sending EE > Cert>Issuing CA>Cross certificate>GTE Root. > > It looks like there is an issue associating the issuing CA's > certificate with it's cross certificate signed by GTE. > > This is where I get stuck, I'm not sure what tools to use to prove > this scenario.
I wonder if you've run into bug 384459, overspecifying the AKID. So many CAs do it that we've finally decided to just ignore parts of the AKID. So, have a read of bug 384459. If that's the issue, then the fast path is for you to remove the issuer's issuer-name and serial number from the AKID in your "EE issuing CA" cert. The slow solution is to wait for new releases of browsers that ignore the overspecified AKID. If that's not the problem (e.g. your cert doesn't specify an issuer's issuer-name and serial number) then we'll have to have a look at the actual cert chain(s). _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
