Re: Can't recognize intermediate CA

Thu, 12 Mar 2009 23:55:29 -0700 

The NSS developers (NSS being the library that Firefox uses) have
discussed the concept of "OpenSSL's overspecified Authority Key
Identifier" numerous times.  Most recently,
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/2ac539b4447c58cd?pli=1
has the main NSS developer's (Nelson Bolyard) thoughts on the matter.

-Kyle H

On Thu, Mar 12, 2009 at 5:39 PM, Rene Hollan <rene.hol...@watchguard.com> wrote:
>  Yup. That fixed it.. At least as far as openssl verify -CAfile
> cacert.pem -untrusted intcert2.pem yahoo-x.pem goes.
>
> Oddly, firefox still rejects the end cert, even though both cacert.pem
> and intcert2.pem are in it's trust store. Is it possible that browsers
> actually ignore intermediate CA certs in their trust store and expect
> servers to provide them? That's the next thing for me to try (if only I
> can remember how to do that with openssl... :-)).
>
>
> -----Original Message-----
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
> Sent: Thursday, March 12, 2009 4:23 PM
> To: openssl-users@openssl.org
> Subject: Re: Can't recognize intermediate CA
>
>
> If it's any consolation you aren't alone with that, it gets commented on
> quite often so much so in fact that it has an FAQ entry:
>
> http://www.openssl.org/support/faq.html#USER15
>
> You can just leave out the issuer+serial number combination from AKID
> too.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
> project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to