> From: owner-openssl-us...@openssl.org On Behalf Of Kent Tong > Sent: Wednesday, 13 May, 2009 05:43 <snip other ideas/comments that didn't help>
> > When you 'install' the CAcert can you choose anything about > intended > > or allowed usage? Maybe some tickboxes? > > Yes, I checked "can identify web sites" and "can identify mail users". > Those would make sense for an entity cert. Aren't there option(s) something like 'can issue/sign certificates'? > > Could thunderbird have cached some info about the old > CAcert that is > > now confusing it e.g. a fingerprint? > > I don't think so. Is it possible that the signed mails > actually contain the full chain? > That's an idea. The SMIME/PKCS7 format allows it (so did PEM). Whether your mails actually do would depend on the program that created them (here thunderbird), and possibly its configuration settings and/or user option choices. But if the old-CAcert IS there and the verification function is using it rather than the new one, I would expect you to get an error about 'expired' not about 'unsuitable usage'. <snip> > Old cert: [and also New cert][in Extensions] > X509v3 Basic Constraints: > CA:TRUE I see your certs (rightly) have this. For some programs, this plus possibly/sometimes keyUsage is enough to allow verifying children. Apparently not thunderbird. In a subsequent message you add: > I've installed the new CA cert on a computer whose clock has > been pulled back. For a mail signed in the past, Thunderbird > says "could not verify this certificate for unknown reasons". > The new-CAcert has new START time (notBefore) = this week, as well as new END time (notAfter) = 2019. Using that on a back-dated system will look like the cert is 'not valid yet'. That is an error that rarely occurs in reality or is even considered, and thus Thunderbird might well handle poorly. My suggestion was to re-install OLD-CAcert on a back-dated system, so that it appears to (still) be within its validity, and make sure that _completely_ works. In other words, (try to) recreate in a controlled way the situation you were in before you changed anything, and everything worked. > However, it can display the certificate chain properly. For the child cert itself, or mail(s) under it, or both? 'properly' meaning it shows correct child/parent relationship, but says at least parent is not valid/verified/whatever? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
