On Aug 8, 7:06 pm, Nelson Bolyard <[EMAIL PROTECTED]> wrote: > Gordon.Young wrote, On 2008-08-07 10:07: > > > the interesting thing is that even though the entire chain is passed > > during SSL handshake, Firefox does not find the issuer of the "EE > > issuing CA's" certificate. on this test server we are sending EE > > Cert>Issuing CA>Cross certificate>GTE Root. > > > It looks like there is an issue associating the issuing CA's > > certificate with it's cross certificate signed by GTE. > > > This is where I get stuck, I'm not sure what tools to use to prove > > this scenario. > > I wonder if you've run into bug 384459, overspecifying the AKID. > So many CAs do it that we've finally decided to just ignore parts of > the AKID. So, have a read of bug 384459. If that's the issue, then > the fast path is for you to remove the issuer's issuer-name and serial > number from the AKID in your "EE issuing CA" cert. The slow solution is > to wait for new releases of browsers that ignore the overspecified AKID. > > If that's not the problem (e.g. your cert doesn't specify an issuer's > issuer-name and serial number) then we'll have to have a look at the > actual cert chain(s).
Thank you Nelson, I will review the bug and compare with my config. Thank you again! Gordon _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
