Re: Why the certificate can not be trusted?
Re: Why the certificate can not be trusted?
- Subject: Re: Why the certificate can not be trusted?
- From: "Geoff Beier" <email@hidden>
- Date: Wed, 20 Aug 2008 12:43:55 -0400
2008/8/20 Jim Luther <email@hidden>:
> You can use the Certificate Assistant application at
> "/System/Library/CoreServices/Certificate Assistant.app" to retrieve, view
> and evaluate certificates from the server. At the Options panel, select
> "View and evaluate certificates" and then at the "Viewing and Evaluating
> Certificates" panel, select "SSL (Secure Sockets Layer)", check the "Ask
> Host For Certificates" box, and enter the host name.
>
Cool tip. I've never seen that assistant before. That's handy.
> In the case of epayment.arcsoft.com, it says "No root cert found" which
> means the server didn't supply the root certificate that goes with the
> epayment.arcsoft.com certificate.
It actually means something subtly different than that. The server is
not supposed to supply the root certificate, and if it did the client
should not trust it. It is recommended that the server supply the
certificates required to build a chain from the server certificate
back to the root certificate. In this case the server did not. Because
the intermediate CA that signed the server certificate is not present
on the client system and it's not supplied by the server as part of
the handshake, the client is unable to build a path from the server to
the root. The client must already have a copy of the root certificate
in order to trust the server certificate.
Though there are other solutions, the best one is to reconfigure the
server to send down the certificate for the CA that issued the server
certificate.
Geoff
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden