Hi,
Firefox seems to accept the subjectAltName extension, but I'm having
troubles getting firefox to trust the additional level of certificate
hierarchy.
I started out with something that looks like:
Root CA cert (self signed) [added to trust store on browser]
Device CA cert (signed by Root CA)
Per device HTTPS cert (signed by Device CA)
Firefox will trust the https certificate, but I was getting the
'Domain Mismatch Error' because the CN was wrong. So I added an
additional level of certs so the device can re-sign its https
certificate when it is assigned an IP address and hostname.
Root CA cert (self signed) [added to trust store on browser]
Device CA cert (signed by Root CA)
Per device CA cert (signed by Device CA)
Per device HTTPS cert (signed by Per Device CA)
The https server is configured to send the entire certificate chain
and firefox has the 'Root CA' added to its trust store. When I try
connecting firefox returns the familiar "Error Code: -8182" and the
server throws a 'sslv3 alert bad certificate' 'SSL alert number 42'.
If I run 'openssl s_client -verify 3' and give openssl the root
certificate, it verifies the chain without errors.
If I configure the https server to not send the entire certificate
chain, then firefox gives the expected 'Website Certified by an
Unknown Authority' dialog. So firefox accepts the cert, but doesn't
like the cert chain. I also tried having the https server send the
https cert and the 'per device ca' cert, which results in the 'bad
certificate' error. So firefox thinks the cert is okay, but doesn't
like the chain.
Any suggestions on what might be wrong or something else to try? I'd
imagine this is another 'firefox doesn't like x' problems like I had
when I tried to use 2048 bit DSA keys.
--Clem
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
