Gordon.Young wrote, On 2008-08-07 10:07:

> the interesting thing is that even though the entire chain is passed
> during SSL handshake, Firefox does not find the issuer of the "EE
> issuing CA's" certificate. on this test server we are sending EE
> Cert>Issuing CA>Cross certificate>GTE Root.
> 
> It looks like there is an issue associating the issuing CA's
> certificate with it's cross certificate signed by GTE.
> 
> This is where I get stuck, I'm not sure what tools to use to prove
> this scenario. 

I wonder if you've run into bug 384459, overspecifying the AKID.
So many CAs do it that we've finally decided to just ignore parts of
the AKID.  So, have a read of bug 384459.  If that's the issue, then
the fast path is for you to remove the issuer's issuer-name and serial
number from the AKID in your "EE issuing CA" cert.  The slow solution is
to wait for new releases of browsers that ignore the overspecified AKID.

If that's not the problem (e.g. your cert doesn't specify an issuer's
issuer-name and serial number) then we'll have to have a look at the
actual cert chain(s).
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to