Hi, > The server using their own CA > is in the certificate generation process, I wonder is it related to two-way > SSL or something?
If they use the web based solution to enroll certificates from CA, which is quite widely used, then why not to distribute the CA public certificate by the same page to import it into browsers before the enrollment process (done once only). >From the development point of view can be done with a simple servlet returning serialized encoded X509Certificate (of CA) in an response stream. For Firefox case, when the content type of "application/x-x509- ca-cert" is set then the import starts automatically, showing the FF dialog box for confirmation and trust settings. Short user help in a few steps on the same page should do to deal with the process, which is definitely less complicated than enrollment. A good practice is also to protect such a page with Extended Validation SSL from some authority like: http://www.verisign.com/ssl/ssl-information-center/extended-validation-ssl-certificates/ Greetings, Waldek -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto