Rob Stradling wrote, On 2009-05-27 01:35: > Frank, Nelson, just in case it's useful... > I recall that GlobalSign recently refreshed their "GlobalSign Root CA": > https://bugzilla.mozilla.org/show_bug.cgi?id=406794 > > When the new GlobalSign Root CA certificate (which expires in 2028) was added > to NSS, the old certificate (which expires in 2014) was *removed*: > https://bug449883.bugzilla.mozilla.org/attachment.cgi?id=333011
Right. That was a case where the new cert met NSS's definition of "newer". It had the same notBefore date/time, and a newer/later notAfter date/time. There was no need to retain the old cert, because NSS would pick the new cert in every case where it must choose between the two. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
