[Fed-Talk] Problem loading DoD Root Certificates into Mozilla/FireFox/...
[Fed-Talk] Problem loading DoD Root Certificates into Mozilla/FireFox/...
- Subject: [Fed-Talk] Problem loading DoD Root Certificates into Mozilla/FireFox/...
- From: Shawn Geddis <email@hidden>
- Date: Wed, 5 Jan 2005 15:30:49 -0500
Perceived Problem:
Loading DoD Trusted Root/Intermediate Certificates fails with
Mozilla,
FireFox, .... running on Mac OS X. It Only imports two CA Certificates instead of the whole list.
Actual Problem:
The source code used for
Mozilla 1.8a1-1.8a6 (as well as most if not all variants of Mozilla like FireFox) as of today is not properly parsing the Certificates referenced by the DoD Link (PKCS#7 Certificate Chain). All versions of Mozilla prior to 1.8a1 properly parse the Certificates. The format being posted has not changed as I incorrectly eluded to in my last message. There have, however, been more Certificates added to the chain.
Resolution to the Problem:
Scenario #1:
Use
Mozilla 1.7.x or earlier version to properly download/import the DoD Trusted Root/Intermediate Certificates into the Application's Certificate Storage
(Cert8.db). Re-launch the newer version of choice and you can then perform the standard modification of Trust settings on the certificates as need.
Scenario #2:
Obtain or maintain a pre-populated Mozilla Certificate Storage database ("Cert8.db") and replace the user's personal account database with the pre-populated one.
The Path to the
Cert8.db database is:
/Users/<user>/Library/Mozilla/Profiles/default/<profilefolder>/cert8.db
Change:
<user> ===> change to user's homedirectory / Account Name
<profilefolder> ===> to what was created for your profile... (random)
For example, the above might look something like:
/Users/joeuser/Library/Mozilla/Profiles/default/c6ytv1a8.slt/cert8.db
URLs to obtain DoD Certs:
DoD Class 3 Public Key Infrastructure (PKI) Home Page:
http://dodpki.c3pki.chamb.disa.mil/
DoD Class 3 PKI Download Root CA Certificate:
http://dodpki.c3pki.chamb.disa.mil/rootca.html
Download Class 3 Root CA Certificate:
http://dodpki.c3pki.chamb.disa.mil/dodcacerts.cac
Download Medium Assurance Root CA Certificate:
http://dodpki.c3pki.chamb.disa.mil/dodroot.cac
Note about Mac OS X:
Remember that on Mac OS X 10.3.x and later, applications that properly leverage the built in Credential Services, are accessing the
X509Anchors &
X509Certificates keychains where these DoD Trusted Root and Intermediate Certs are already installed and updated. For those applications, you need not perform any DoD Root CA installations.
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden