"JL [echMotor#060]" <[EMAIL PROTECTED]> wrote: > We have some certificates issued by a CA in X509 format. We can install them > using IE without problems. Nevertheless, if we try to install them in > Netscape we are not able to do it. We don't receive any error but the > certificates are not installed. > > Do you know any X.509 extensions or other needed issues to install them > properly in Netscape? Any idea?
and later wrote: > It doesn't matter which version of netscape we use because we only can > install this certificate in IE and not in Netscape :-( I have tried with > 4.0.6, 4.7, 7.0 and with mozilla. > > You can find attached the certificate and the CA certificate that we cannot > install. > Name: 86536977Y.cer > 86536977Y.cer Type: Security Certificate (application/x-x509-ca-cert) > Encoding: x-uuencode > > Name: NCIPHER.ca.cer > NCIPHER.ca.cer Type: Security Certificate (application/x-x509-ca-cert) > Encoding: x-uuencode I had no trouble with the NCIPHER.ca.cer file, but I could not install the 86536977Y.cer because NSS (the crypto library in mozilla) believes that cert file has an invalid ASN.1 DER encoding. The reason for that error is that the validity timestamps in that certificate are encoded as ASN.1 GeneralizedTime, not as ASN.1 UTCTime. NSS expects certificate validity times to be encoded as UTCTimes. RFC 3280 says, on page 22, section 4.1.2.5 Validity: CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. Since your certificate features validity dates in the range: 2003-05-26 through 2005-05-26 the dates in your cert should be UTCTimes, not GeneralizedTimes. -- Nelson B
