Actually there were some things I got done myself..... Christian Schulte wrote: > Hi! > > I'm having some problems with using certificates in mozilla and now just > wanted to post my problems here to see, what I'm doing wrong, or if > mozilla's certificate management does not work correctly! > > 1. > > I attached my own CA root-certificate to this posting which I want to > use for securing our companies' mailsystem. The problem is, that mozilla > however does not recognize it as a CA certificate although it contains > all netscape extensions I found. What is wrong about this certificate ? > Why does mozilla not recognize it as a CA ? Shouldn't mozilla recognize > it as a ca certificate and store it, if confirmed to do so, under the > section with the trusted ca certificates in the certificate manager ? >
Mozilla does not automatically ask to store the ca certificate and thus will not store it. If one adds a mime-type like application/x-x509-ca-cert to the file extensione eg. cacert mozilla does import the ca after using File->Open file... But: If certificates signed by that ca were stored permanently before, mozilla then says that the ca certificate is allready installed but that is not true! If you then delete all stored certificates under the tab "Web sites" which were stored earlier, the import works as supposed to. > 2. > > There is no possibility to view the details of the ca certificate after > storing a certificate signed by it! > Eg: When I connect to a site with https which has a certificate signed > with my ca certificate, mozilla says that the certificate was signed by > a ca which mozilla does not know about. This is correct! Now I can click > on "view certificate" and then under the details of the certificate I > can also view the details of the ca certificate which gets delivered by > the webserver! If I now check the checkbox to store the certificate > permanently it gets stored under the section "Web sites". There I can > view the details of the certificate again but if I click on "edit" and > in the appearing dialogbox on "Edit CA trust" mozilla says that the > certificate for the ca was not found (because it was not stored with the > certificate). So why wasn't the ca certificate stored ? Another thing > which I do not understand is, why mozilla does not complain about an > unkown ca when connecting again after storing the certificate although > the ca was not stored ! So if I once marked a certificate as trusted, it > does not matter if the ca is known or not ? That all depends on the same fact stated before. The ca certificate gets not stored but somehow mozilla "thinks" it is stored. After deleting all certificates and then doing the ca import as stated before it worked! > > 3. > > In the certificate manager, when viewing a pre-installed ca certificate > there is the sentence "This certificate has been verified for the > following uses:" with the verified uses! > When viewing my ca certificate there just is nothing, only the sentence > without any uses! Why ? > And that also worked after importing the ca certificate ! > > 4. > > Mozilla does not recognize the version 3 extensions subjectAltName and > issuerAltName ! This would be really a feature to implement because one > could use a single certificate for more than one website! So please > implement the version 3 extensions (correctly) ! > That should be done! So there really is the issue with not storing the ca certificate correctly if asked to store a server certificate signed by it! If I check the checkbox to store an untrusted certificate permanently there should be a dialog asking me if I also want to store the ca certificate with which the servers' certificate was signed with.
