-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Clem Taylor schrieb: > Hi, Hello Clem,
> Firefox seems to accept the subjectAltName extension, but I'm having > troubles getting firefox to trust the additional level of certificate > hierarchy. [...] > Root CA cert (self signed) [added to trust store on browser] > Device CA cert (signed by Root CA) > Per device CA cert (signed by Device CA) > Per device HTTPS cert (signed by Per Device CA) > The https server is configured to send the entire certificate chain > and firefox has the 'Root CA' added to its trust store. When I try > connecting firefox returns the familiar "Error Code: -8182" and the > server throws a 'sslv3 alert bad certificate' 'SSL alert number 42'. > If I run 'openssl s_client -verify 3' and give openssl the root > certificate, it verifies the chain without errors. > > If I configure the https server to not send the entire certificate > chain, then firefox gives the expected 'Website Certified by an > Unknown Authority' dialog. So firefox accepts the cert, but doesn't > like the cert chain. I also tried having the https server send the > https cert and the 'per device ca' cert, which results in the 'bad > certificate' error. So firefox thinks the cert is okay, but doesn't > like the chain. > > Any suggestions on what might be wrong or something else to try? I'd > imagine this is another 'firefox doesn't like x' problems like I had > when I tried to use 2048 bit DSA keys. Without the certificate chain, it is speculating without data... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFXuaj2iGqZUF3qPYRAj8cAJ9YXjKf9b6plr6CIqhyYKB6idnbygCeLwh2 tZ3xOjmQ8Cm0dDAGEyn2r6Y= =WbtF -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
