Just to keep this thread alive (well sort of), I'm updating with my current status on this issue.
Robert Relyea wrote: > My guess is the certificate in question is a secondary CA signed by a > primary. The problem is that gtoc.iss.net is probably misconfigured. > It should send the secondary certificate with it's server certificate. > Their misconfiguration is masked on IE because IE throughs every CA > cert it finds into it's permament certificate store. Correct on the first, wrong on the second. IE stores not only the root certificates, but also all intermediate certificates, hence it is successful in putting together the certificate chain. And actually as far as the size of those go, a collection of root certificates is much much bigger, than the one with the intermediate certificates, so the bloat theory doesn't quite hold water. The Trusted CA Store from IE has 114 entries, all self-signed, the intermediated CA store has 12 entries. > > > Daniel Kluge wrote: > >> Hello there, >> I was just visiting https://gtoc.iss.net/, which gives me an 'Unknown >> Certificate Signer' or so error. >> >> Turns out that the site's SSL Certificate is signed by a Verisign CA >> Certificate that is not known to Mozilla. The Certificate in question >> is "OU = VeriSign International Server CA - Class 3". >> >> Now I said, 'appears' above, since I've run into several problems: >> >> 1. The Mozilla Certificate Manager doesn't seem to allow you to >> export certifiactes, IE does. >> 2. The certs are stored in a undocumented proprietary format (certs7.db) >> 3. For above database, I didn't find the utility (certutil), and I >> don't have the time to configure and build NSS/NSPR/world, so I have >> my own copy of certutil. > > > Since the operation you are asking for is 'import', I presume you > meant import in '1.' above. I also presume you mean only of CA > certificates, since you can clearly import/export user certificates > from the 'my certs' tab. Nope, I wanted to export the certificates, to have a look at them... > > > To import Certs in mozilla, you simply need to 'read' them as a mime > message. I believe mozilla maps file with the extensions 'cacert' and > 'cert' to the correct mime times. > > You can also download certutil from one of the NSS releases at > ftp://ftp.mozilla.org/pub/security/nss/releases . Certutil will allow > you to import or export any certificate from your cert database. I sort of tried that, after downloading a huge NSS release, and then finding a sort of matching NSPR release, I got some nice coredumps from certutil.... > > If my above theory is correct you will not have to add any trust > values to the cert, simply importing the cert should be sufficient. I'll try do that, as soon as I get my preference panel back, Mozilla1.0RC2 & Netscape7PR1 do not play very nice at the moment... > >> >> Of course to make matters more interresting, I have not yet been able >> to find the cert in question on Verisign's Web-Site, they are quite >> good at hiding the usefull information. I just found a PDF file which >> lists the Cert in question... >> >> I could extract the certificate from my dump of IE's certificate >> (PKCS#7 format), but what do I do then with it? To import it I'd neet >> certutil again... > > > try naming it verisign3.cacert and opening it using 'open file'. > See above, as soon as I get my preference back. Cheers, -daniel
