On 23.11.18 12:58, Martin Büchler wrote: > That is exactly what I am looking for: Where are the certificate requirements > specified other than in TB source code? I then would like to instruct our PKI > to add/change missing extensions, fields, or anticipated X500 name formats.
I agree it would be useful to have this kind of documentation, like a wiki page. In your case, your certificate is apparently missing the "Certificate Basic Constraints" extension, which makes it clear if a certificate is a CA, or not a CA. Could you try adding it? (With CA: false) I think NSS is unwilling to accept certificates without that statement, as in the past, as a missing extension was used to trick software into assuming a certificate could be used as a CA. BTW, you aren't subscribed to this list, which causes your messages to get stuck in the moderation queue, until someone reviews that queue. I didn't see your message until today. Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
