Pierre Scholtes wrote:
I have some problems with path construction with netscape. I set up a RootCA1 which cross-certifies a RootCA2 which certifies a webserver.
I added the different certificates to chain.pem, added SSLCertificateChainFile command to httpd.conf and restarted my apache. If I want to access the webserver with a netscape browser which has as only trusted root the RootCA1 netscape does not manage to acomplish path construction. With IE however, everything works fine.
Netscape (now Mozilla) and cross certification is an old problem. Until now (NSS 3.8) path validation for cross certification is not supported by Network Security Services. The most actual release is 3.8. Please check the details here (like the missing path validation):
http://www.mozilla.org/projects/security/pki/nss/nss-3.8/nss-3.8-plan.html
Microsoft is much better in this area.
Michael
P.S. you need the authority key identifier for exactly this path validation. -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
