Hi all, I have a problem with trusting SSL server certificates witch I issue inside my own PKI. This PKI is designed like this:
self-signed root certificate, called ROOT CA1 for signing SSL server certificates, this one is signed by ROOT To create this structure I am using certutil from NSS 3.9. All is done under windows using this bat file: ------------------------------------------------------------------ echo *** Create new database certutil -N -d Certificates -f passfile echo *** Create the main root certificate authority certutil -S -n ROOT -d Certificates -x -t "CTu,CTu,CTu" -s "CN=ROOT, O=Organization" -m 8361371 -v 24 -f passfile certutil -V -n ROOT -d Certificates -u S -f passfile if errorlevel 1 goto done certutil -L -n ROOT -d Certificates -r > Certificates\RootCA.crt if errorlevel 1 goto done echo *** Create the CA1 certificate authority/signer certutil -S -n CA1 -d Certificates -c ROOT -t "CTu,CTu,CTu" -s "CN=CA1, O=Organization" -m 6176871 -v 24 -f passfile -1 < gencertinput certutil -V -n CA1 -d Certificates -u S -f passfile if errorlevel 1 goto done certutil -L -n CA1 -d Certificates -r > Certificates\CA1.crt if errorlevel 1 goto done echo *** Export pk12 files pk12util -o Certificates\RootCA.p12 -n ROOT -d Certificates -k passfile -W rootpass -v pk12util -o Certificates\CA1.p12 -n CA1 -d Certificates -k passfile -W CApass -v ------------------------------------------------------------------ To sum: I create empty DB, then the self signed cert and fianly the CA1 signed by the root. I both export with pk12util as p12 module with private key. I import *.crt files into FireFox with CT,C,C trust flags (trusted CA) for both of them on all clients/server I work with using also certutil over the profile secure database. Then I sign new SSL SERVER certificate with CA1 to use it for SSL connections - also using the certutil. I set it up on my server under FireFox what is designed close to the SSLsample from nss module. Then I connect to this server and call SSL_AuthCertificate(CERT_GetDefaultCertDB(), socket, checksig, isServer) as the first function from my own authentification hook. The function fails and PORT_GetError returns -8179 (SEC_ERROR_UNKNOWN_ISSUER). I traced the code and compared with authentification of HTTPS server (exactly https://bugzilla.mozilla.org). The only difference is in internal funciton nssCertificateStore_FindCertificatesBySubject (pkistore.c(375)) where is lookup for the issuer certificate by its subject. For bugzilla HTTPS server certificate the issuer certificate is found, but my CA1 for my own server certificate is not found. When I check the certificate of the server I see the path displayed properly. I use Tools/Options/Advanced/View certificates dialog box to do that. I would like to ask you, why my issuer cert is not found on the client side? I tried to sign the servers certificate by the ROOT certificate and in that case all work as expected... Thank you very much for advise. Honza B. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
