All right :-) Thank you very much, JL
"Nelson B" <[EMAIL PROTECTED]> escribi� en el mensaje news:[EMAIL PROTECTED] > "JL [echMotor#060]" <[EMAIL PROTECTED]> wrote: > > > We have some certificates issued by a CA in X509 format. We can install them > > using IE without problems. Nevertheless, if we try to install them in > > Netscape we are not able to do it. We don't receive any error but the > > certificates are not installed. > > > > Do you know any X.509 extensions or other needed issues to install them > > properly in Netscape? Any idea? > > and later wrote: > > > It doesn't matter which version of netscape we use because we only can > > install this certificate in IE and not in Netscape :-( I have tried with > > 4.0.6, 4.7, 7.0 and with mozilla. > > > > You can find attached the certificate and the CA certificate that we cannot > > install. > > > Name: 86536977Y.cer > > 86536977Y.cer Type: Security Certificate (application/x-x509-ca-cert) > > Encoding: x-uuencode > > > > Name: NCIPHER.ca.cer > > NCIPHER.ca.cer Type: Security Certificate (application/x-x509-ca-cert) > > Encoding: x-uuencode > > I had no trouble with the NCIPHER.ca.cer file, but I could not install > the 86536977Y.cer because NSS (the crypto library in mozilla) believes > that cert file has an invalid ASN.1 DER encoding. The reason for that > error is that the validity timestamps in that certificate are encoded > as ASN.1 GeneralizedTime, not as ASN.1 UTCTime. NSS expects certificate > validity times to be encoded as UTCTimes. > > RFC 3280 says, on page 22, section 4.1.2.5 Validity: > > CAs conforming to this profile MUST always encode certificate > validity dates through the year 2049 as UTCTime; certificate validity > dates in 2050 or later MUST be encoded as GeneralizedTime. > > Since your certificate features validity dates in the range: > 2003-05-26 through 2005-05-26 > the dates in your cert should be UTCTimes, not GeneralizedTimes. > > > -- > Nelson B
