problem with certificate trust path in nss library

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

problem with certificate trust path in nss library

Paweł Szychowski RNK

I have X509 certificate which was generated by BC JCA library. Apparently every thing is well but NSS (firefox, fedora) library does not recognized the anchor in trust path.
The other libraries like openssl deal with that correctly and an issuer is recognized.
Is it the known problem? What is wrong or which option should I use to resolve the problem.

PSz.



Treść tej wiadomości zawiera informacje przeznaczone tylko dla adresata. Jeżeli nie jesteście Państwo jej adresatem,
bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie.

This email contains information intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient or if you have received this message in error, please notify the sender and delete it from your system.


Reply | Threaded
Open this post in threaded view
|

Re: problem with certificate trust path in nss library

Uri Blumenthal
On Jul 23, 2016, at 17:57 , Paweł Szychowski RNK <[hidden email]> wrote:
I have X509 certificate which was generated by BC JCA library. Apparently every thing is well but NSS (firefox, fedora) library does not recognized the anchor in trust path.
The other libraries like openssl deal with that correctly and an issuer is recognized.
Is it the known problem? What is wrong or which option should I use to resolve the problem.

I suspect that the CA (the issuer) certificate does not have the correct Key Usage set. The current Firefox is very strict about that. It has to have “Digital Signature, CRL Sign, Key Cert Sign”. Anything else (or any from the above missing) - and Firefox won’t consider it a good true anchor.
--
Uri Blumenthal