I tried to copy a CA certificate from one CA to another CA. At first it looked i had succeeded. I wanted to issue certificates from both CAs with the same keys. After i installed the certificates i got SEC_ERROR_UNKNOWN_ISSUER every time. I did a search with google about that error. It was simple if i did not have CA root certificate with same name in the subject as i had in issuer on the server certificate i would get that error. I checked that i had added the root CA certificate to the trusted certificates in Firefox. It was there and the subject was correct. After building a debug version of Firefox and running it in the Visual studio debugger i understood how Firefox finds CA certs. It calculates a hash on the subject field and look for a CA cert in the cert database with the same hash. It calculates the hash from everything in subject. Length, string type and oid. When i looked at both certificates i noticed a small difference. One had PrintableString as type and the other had UTF8String for common name. That will make the hash different.
Categories