Certicate chain
in [Cryptography]
|
From: Maaartin on 27 Mar 2010 22:49 I've just installed a new certificate for a website. It works fine with IE but neither with FF (Error code: sec_error_untrusted_issuer) nor with Opera (OCSP error). Using Java I see the following chain: 0 Subject CN=www.cgc-instruments.com, OU=EssentialSSL, OU=Domain Control Validated Issuer CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB sha1 C4EF077F9AF76A4E15B6597CB171B7950554AEA2 md5 3E84070946754A2763E7B3E6EEB22981 1 Subject CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Issuer CN=COMODO Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB sha1 73820A20F8F47A457CD0B54CC4E4E31CEFA5C1E7 md5 B51A6D2D44CC72D6C62A1B975A183D91 2 Subject CN=COMODO Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Issuer CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US sha1 4E154ACB683EFD5578001432B92AFE896812B85E md5 C71ED879914C01ACEDED00304C47F0E4 3 Subject CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Issuer CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE sha1 9E99817D12280C9677674430492EDA1DCE2E4C63 md5 55070F1F9AE5EA2161F3722B8B417F27 4 Subject CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Issuer CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE sha1 02FAF3E291435468607857694DF5E45B68851868 md5 1D3554048578B03F42424DBF20730A3F In IE the chain contains all the items, but in both FF and Opera I see the chain ending with item 2 (Comodo). Why do the two browsers stop earlier? This would be clear in case they'd accept the Comodo certificate, but they do not. In case you want to have look at it, the certificate gets used for "Contact" only. Btw., I know, there're non-secure items there; they'll get removed some day.
From: Gordon Burditt on 28 Mar 2010 02:15 >I've just installed a new certificate for a website. It works fine >with IE but neither with FF (Error code: sec_error_untrusted_issuer) >nor with Opera (OCSP error). Using Java I see the following chain: If you don't have (and trust) the certificates for the CA's involved in the chain, the certificate won't be trusted. Do IE, FF, and Opera each have the same set of root certificates?
From: Maaartin on 28 Mar 2010 03:22 On Mar 28, 8:15 am, gordonb.1e...(a)burditt.org (Gordon Burditt) wrote: > >I've just installed a new certificate for a website. It works fine > >with IE but neither with FF (Error code: sec_error_untrusted_issuer) > >nor with Opera (OCSP error). Using Java I see the following chain: > > If you don't have (and trust) the certificates for the CA's involved > in the chain, the certificate won't be trusted. Do IE, FF, and > Opera each have the same set of root certificates? They don't, but all of them trust "AddTrust AB" (item 4) above. It looks like both FF and Opera trust Comodo (item 2) as well, unlike IE. This would explain, why the chain ends earlier. Can it be that the problem is the kind of the certificate? It's only a "domain control validated" cert, could it be that FF and Opera practically ignore it?
|
Pages: 1 Prev: Very basic questions Next: digital signature without hashing? |