Matthews, Tim R wrote, On 2008-10-06 05:50: >> Now, about that diagnostic step, please try the following series of certutil >> commands using the same cert DB that you used in your original > > trmatthe@:~/working$ certutil -d . -M -t ",," -n client > trmatthe@:~/working$ certutil -d . -M -t "C,," -n centralCT > trmatthe@:~/working$ certutil -d . -V -e -u V -n client > certutil: certificate is valid > > Erk! So clearly from an SSL perspective the CA cert is valid and the > trust flags are OK.
Yup. > Sooo, it's not looking (to me) to be a trust issue. It's as if Remedy is > unwilling to use trust hierarchies and is expecting individual SSL server > certs. > > Have I missed something or is this looking like a Remedy SSL bug? More questions: - Does Remedy give you ANY error messages about what went wrong? Does it perhaps display a negative error code number in decimal or hexadecimal? In the absence of an error code, we can only guess about what might be going wrong. We know that the server cert and CA cert pass NSS's basic validity tests for use as an SSL server cert chain. So, what else might be wrong? Some ideas include: - wrong host name requested. Remedy has told NSS to look for a host name that is not present in the server certificate. If the server cert contains an FQDN, then remedy must ask NSS to check for that entire FQDN. If the cert has a subject alt name extension, then remedy MUST ask NSS for a host name that is in the Subject Alt Name extension. NSS ignores the cert's subject CN= attribute when a Subject Alt Name extension is present, per RFC 2818. - wrong certificate usage requested. There's obviously some confusion coming from somewhere about clients and servers. Does that confusion originate in Remedy documentation? If so, maybe Remedy is asking NSS to test the server's cert to see if it is valid as a client cert, rather than as a server cert. - wrong cert DB in use. Maybe Remedy is not using the cert DB that you think it is. If Remedy is using a cert DB with that CA cert present, with the trust flags set as you set them (at my suggestion), then that server cert should validate. Set up a cert db with that CA cert present and trusted as I suggested, and try Remedy with that cert DB. It might work. > Thanks once again for all your help with this. I'd been going slowly mad! _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
