honzab wrote: > Hi all, > > I have a problem with trusting SSL server certificates witch I issue > inside my own PKI. This PKI is designed like this: > > self-signed root certificate, called ROOT > CA1 for signing SSL server certificates, this one is signed by ROOT > > To create this structure I am using certutil from NSS 3.9. All is done > under windows using this bat file: > > ------------------------------------------------------------------ > echo *** Create new database > certutil -N -d Certificates -f passfile > > > echo *** Create the main root certificate authority > certutil -S -n ROOT -d Certificates -x -t "CTu,CTu,CTu" -s "CN=ROOT, > O=Organization" -m 8361371 -v 24 -f passfile
> echo *** Create the CA1 certificate authority/signer > certutil -S -n CA1 -d Certificates -c ROOT -t "CTu,CTu,CTu" -s "CN=CA1, > O=Organization" -m 6176871 -v 24 -f passfile -1 < gencertinput You need to use the -2 option in *all* CA certs, root and intermediate. That option creates a cert extension that marks the cert as a CA cert. Otherwise, the certs are not marked as CA certs, and will not be used as CAs. Root CA certs can get away without being marked as CA certs, but intermediate CA certs such as your CA1 cert must be marked as CA certs or they will be treated as non-CA certs (so called "End Entity" or "EE") certs. Also, the CA1 cert should have no trust, e.g. -t "" . It should inherit its trust from the issuer (Root). Likewise for the server cert. > function fails and PORT_GetError returns -8179 > (SEC_ERROR_UNKNOWN_ISSUER). Most likely, mozilla went looking for a CA cert with the subject name given as the issuer name in the server certificate, and did not find a CA cert with that subject name. It did not find your CA1 cert because that cert was not marked as a CA cert, nor as a root. By the way, you should NOT import the CA1 cert into your clients/browsers. the clients should only contain your root CA cert, marked trusted as you did. Your server should have the Root, the CA1, and its own cert, and should send all 3 to the client. -- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
