The NSS developers (NSS being the library that Firefox uses) have discussed the concept of "OpenSSL's overspecified Authority Key Identifier" numerous times. Most recently, http://groups.google.com/group/mozilla.dev.tech.crypto/msg/2ac539b4447c58cd?pli=1 has the main NSS developer's (Nelson Bolyard) thoughts on the matter.
-Kyle H On Thu, Mar 12, 2009 at 5:39 PM, Rene Hollan <rene.hol...@watchguard.com> wrote: > Yup. That fixed it.. At least as far as openssl verify -CAfile > cacert.pem -untrusted intcert2.pem yahoo-x.pem goes. > > Oddly, firefox still rejects the end cert, even though both cacert.pem > and intcert2.pem are in it's trust store. Is it possible that browsers > actually ignore intermediate CA certs in their trust store and expect > servers to provide them? That's the next thing for me to try (if only I > can remember how to do that with openssl... :-)). > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson > Sent: Thursday, March 12, 2009 4:23 PM > To: openssl-users@openssl.org > Subject: Re: Can't recognize intermediate CA > > > If it's any consolation you aren't alone with that, it gets commented on > quite often so much so in fact that it has an FAQ entry: > > http://www.openssl.org/support/faq.html#USER15 > > You can just leave out the issuer+serial number combination from AKID > too. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL > project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org