Eddy Nigg wrote: >> The incomplete chain downloaded into Firefox is the problem that must be >> fixed. It's the most crucial. I don't know if it's entirely an issue >> in the CA (:-) or also partially in Firefox. >> > > Unfortunately Firefox DOES NOT include the chain in the PKCS12 file even > if the complete chain is present in the browser.
That's not true - neither from my experience with Firefox nor from looking at the code: nsPKCS12Blob::ExportToFile calls SEC_PKCS12AddCertAndKey: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsPKCS12Blob.cpp&rev=1.49&mark=445-449#440 and SEC_PKCS12AddCertAndKey *does* add the chain (if it's available in the DB, of course): http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pkcs12/p12e.c&rev=1.20&mark=1404-1415#1400 Kaspar -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
