Re: Mozilla NSS -- how to deploy intermediate certificate

To: Aaron Bennett <abennett@clarku.edu>

Subject: Re: Mozilla NSS -- how to deploy intermediate certificate

From: Rich Megginson <rich.megginson@gmail.com>

Date: Fri, 24 Feb 2012 11:35:49 -0700

Authentication-results: mr.google.com; spf=pass (google.com: domain of rich.megginson@gmail.com designates 10.229.137.20 as permitted sender) smtp.mail=rich.megginson@gmail.com; dkim=pass header.i=rich.megginson@gmail.com

Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=RZs7THkc/TizVND518hgyMwEyvPafGD7FBxEwT+Cem4=; b=qO7pLgYoWrw5e+tqgq8ffZoFVopv00TRPa62Y8mZm36ZODxhBpJFf0PPX+WasGdZao GCKOta5dcpZrHw+Ih5hkmc7PVLEgikuSfLwGoysdetCDWTFSTPHpTaBBIIoT+q9LeSqG Dkmwf83JIRNmMND6Jfell3SqJYonRk7ZrI8rw=

In-reply-to: <1C4DF99260C2DC4383032F85493C75AA7E3E7A7BB0@john.ad.clarku.edu>

References: <1C4DF99260C2DC4383032F85493C75AA7E3E7A7BB0@john.ad.clarku.edu>

User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.26) Gecko/20120215 Red Hat/3.1.18-2.el6_2 Lightning/1.0b3pre Thunderbird/3.1.18

On 02/24/2012 11:15 AM, Aaron Bennett wrote:

Hello,

I need to publish the GeoTrust intermediate certificate; I’m using 2.4.29 built against Mozilla NSS. In OpenSSL world, I’d use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here’s what I’ve tried:

Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 ; save as intermediate.crt

Import with:

# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt

Certutil -L now shows:

# certutil -d /etc/openldap/nssdb/ -L

Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI

geotrust-intermediate                                        ,,

ds.clarku.edu                                                Pu,Pu,Pu

cn=config looks like this:

olcTLSCACertificateFile: geotrust-intermediate

olcTLSCACertificatePath: /etc/openldap/nssdb

olcTLSCertificateFile: ds.clarku.edu

But still clients cannot verify the cert.

Any Mozilla NSS guru’s know what I’m going wrong?

See http://www.openldap.org/faq/data/cache/1514.html
Using Builtin Root Certs:

Thanks,

Aaron