[Mono-bugs] [Bug 76279][Nor] Changed - CERT_E_CHAINING problem for
server certificate
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Mon Oct 3 09:34:09 EDT 2005
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by sebastien at ximian.com.
http://bugzilla.ximian.com/show_bug.cgi?id=76279
--- shadow/76279 2005-10-03 06:47:32.000000000 -0400
+++ shadow/76279.tmp.3040 2005-10-03 09:34:09.000000000 -0400
@@ -181,6 +181,36 @@
Yngve Zackrisson.
+
+------- Additional Comments From sebastien at ximian.com 2005-10-03 09:34 -------
+Remember that the Mono tool for creating certificates is "makecert".
+You are free to use other tools but their specific functions (i.e.
+anything outside the X.509 structure) just won't work. So trusting a
+certificate with OpenSSL won't affect Mono in any way (i.e. it won't
+make this certificate trusted automagically) no more than trusting a
+certificate on Windows would.
+
+About the stores:
+
+* Only self-signed that you trust should be installed in Mono's
+'Trust' certificate store.
+
+* The 'CA' store is (just like in Windows) for "intermediate CA", i.e.
+for non-self signed CA part of a hierarchy.
+
+* Having a certificate in 'both' stores _should_ works with the
+current chaining algorithm but this could change anytime so please
+don't depend on that (e.g. as it affects the maximum length of a CA
+hierarchy)
+
+About CAs...
+
+* Is there any reason why you want to have two separate roots for
+issuing SSL server certificates and SSL client certificates ? This
+seems only more work (in particular for client configuration) and
+doesn't help security (as your system will fail if either root is
+compromised).
+
More information about the mono-bugs
mailing list