On 2010-04-18 01:49 PST, Nelson B Bolyard wrote: > On 2010-03-15 05:25 PST, Rafa M wrote: >> Hi all, >> >> I'm testing some SSL sites in order to check SSL cert chains up to new >> root certificate from FNMT-RCM (Spanish Mint). >> >> I've tried to connect several Official sites >> (https://www.agenciatributaria.gob.es https://sedemeh.gob.es/) and I got >> this response: Error code: sec_error_bad_database. > > OK, here's the story.
Here's another issue. The RDNs in all those names are exactly backwards. They're encoded in the certificate in the wrong order. In the certificate the RDNs appear in this order: CN OU O C Which is from most specific to most general, but that's exactly the opposite of the right order for RDNs in a certificate. The RDNs should be encoded from most general to most specific. They should appear in the DER encoded certificate in this order: C O OU CN -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
