Consider adding GlobalSign CA certificate

Hi,

Thanks for taking the time to report this bug.

ca-certificates is maintained in Debian with little divergence, so it would be great
to request the change there so that everyone can benefit.

Instructions for getting a certificate included in the package in Debian can be found
in /usr/share/doc/ca-certificates/README.Debian

Thanks,

James

This CA is included since at least Jaunty.

I ran into this same certificate authority being used by NTTPC, a subsidiary of NTT, the main phone company of Japan. IE accepts it, but I don't think it's pure anti-Firefox behavior, just typical mindless incompetence from the NTT zombies.

The status of this bug seems to claim the bug has been fixed, but not as of today for Firefox 3.0.11. It seems that the problem is at the level of Firefox, since I've seen the certificate be accepted by IE on one machine where it is rejected by Firefox?

Well, whatever is going on is rather more complicated, but I'm going to report those details over in a newer bug report. However, what I can say is that there is definitely something wrong with the way Firefox is handling this Certificate Authority, even though the appropriate root authority is installed in Ubuntu (and Windows).

Hi Everyone.

I just verified that in 9.04 the two correct certifiactes for GlobalSign are present.

inside
             /etc/ssl/certs
and
             /usr/share/ca-certificates/mozilla

I'll double check debian next, however we have been inside for many years initially via OpenSSL until the ca-certificates list was stopped (I can't give a specific date or revision level when we were included). Now we are included via NSS, and there should be no issues.

Our roots are available here:-
https://secure.globalsign.net/cacert/Root-R1.crt as GlobalSign_Root_CA.crt
https://secure.globalsign.net/cacert/Root-R2.crt as GlobalSign_Root_CA_-_R2.crt

Please let me know if you see any interaction issues with our previous root.

https://secure.globalsign.net/cacert/Root.crt

Expiring in 2014 this has the same key material, SKI, start date etc as the R1 root above (Which expires in 2028) but to be RFC compliant it has a different serial number. If this issue is to do with this please let me know. Firefox, Opera, IE etc all treat the roots equally. Only MACOSX sees them as two roots so we have all 3 in the MAC keystore.

I checked https://opensource.adobe.com/wiki/display/site/Home and it's fine on 9.04 which uses Fox 3.08

Kind Regards

Steve Roylance - Business Development Director for GlobalSIgn

Well, now I can't find the other bug report that I prepared, but the problem is more complicated than it appears, and it only affects Firefox. Since I can't find that bug, I'll go ahead and summarize the critical details here, and attach the NTTPC certificate that is supposed to use GlobalSign.

It fails on Firefox in both Windows and Ubuntu, but on the same Windows machine IE works and establishes the HTTPS connection without any problem. Therefore the real problem seems to be something wrong with Firefox, not with the GlobalSign certificate.

The final answer is so common I forgot to check. www.nttpc.ne.jp do not supply the intermediate issuing CA from the server. I'll pass to my Japanese colleagues to contact NTT and have the problem fixed.

If you install one of these issuing CA's into your system it will complete the chain. Windows will use the AIA extenstion inside the certifiacte to identify the missing certificates and therefore you'll not see the issue on IE. (99.9% sure this is the case)

We have two versions of the issuing CA. One that supports SGC (Standard Product) and one that has the SGC Extended Key usage removed. I have placed both below.

GlobalSign Domain Validation CA - SGC
Serial Number‎ 04 00 00 00 00 01 1e 44 a5 f8 95
Subject KeyID 36 12 4e 9e 71 c4 26 41 f1 fa f1 29 4c bf 17 a4 53 28 b6 eb
Validity time
Valid from : 04 May 2007 11:00:00
Valid to : 04 May 2017 13:00:00

-----BEGIN CERTIFICATE-----
MIIEbjCCA1agAwIBAgILBAAAAAABHkSl+JUwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA1MDQxMDAw
MDBaFw0xNzA1MDQxMjAwMDBaMHExCzAJBgNVBAYTAkJFMR0wGwYDVQQLExREb21h
aW4gVmFsaWRhdGlvbiBDQTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYG
A1UEAxMfR2xvYmFsU2lnbiBEb21haW4gVmFsaWRhdGlvbiBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALSfSeaznwFVNtA2lWzLFlpscrXineL6OekK
3HNcoDt2bQUokw2lQvPoy+7TMxoTJwrfXNFUYmqaFzbWPFiHHrJmH1VpK4lWR7TC
UAzlXcH9KRtmc0P0b9EUTyptSFI69eSQP96y9BDV+fqslg0QMiPS01GnlYVQ+g8p
naeITg0xm0RBjkEvbpoatLalWfFJWQl+fknTaTNLAJLFG0Igafhk39inRNGQXv05
rWt9/tWLpAFk9qe0IITMBS8n7h7VJJauhEOkPkPzO5nX+fLePRnt0GXxScpI0jh9
xkjXcmG4xsJnCthlWv1b88X9voxpz5kgtursOYDpZqjuPZ1Ge4cCAwEAAaOCAR8w
ggEbMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMEsGA1UdIARE
MEIwQAYJKwYBBAGgMgEKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFs
c2lnbi5uZXQvcmVwb3NpdG9yeS8wHQYDVR0OBBYEFDYSTp5xxCZB8frxKUy/F6RT
KLbrMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQv
cm9vdC5jcmwwEQYJYIZIAYb4QgEBBAQDAgIEMCAGA1UdJQQZMBcGCisGAQQBgjcK
AwMGCWCGSAGG+EIEATAfBgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzAN
BgkqhkiG9w0BAQUFAAOCAQEAUDDGUrqceMIYdXPZDrqmzA4+/nm454LL6cz+ligM
JuG9smtxsggGco4pr0h6rbo15prR/L6h481l5XFgLQCJ59Jrgnafm9dZjO42yfT0
6s5/QtO576vfu5eiQ4bPeSQvRsG9Cz2hNrn57nesHZ9roi59zLvDMQp9paczuFkN
dYe/9jPGCXu+7mtw9wyOeiBSRX1mgruUspHtNy1l5BotHs9B1DkhjkQl7zobuxK6
/2kJO+P8vRBatmBrj4cCObi41BEx56IuiThG47NhgHSInh7xJ+uqkyLHtQnbqzcq
OKRrcEp8wUNtCl+pS47s+YWwzXrb8P40f6dC+N7Hlm0fMw==
-----END CERTIFICATE-----

Operational CA – Non SGC
Name GlobalSign Domain Validation CA
Serial Number ‎04 00 00 00 00 01 1e 44 a5 fa 2c
Subject KeyID 36 12 4e 9e 71 c4 26 41 f1 fa f1 29 4c bf 17 a4 53 28 b6 eb
Validity time
Valid from : 04 May 2007 11:00:00
Valid to : 04 May 2017 13:00:00

-----BEGIN CERTIFICATE-----
MIIESjCCAzKgAwIBAgILBAAAAAABHkSl+iwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA1MDQxMDAw
MDBaFw0xNzA1MDQxMjAwMDBaMHExCzAJBgNVBAYTAkJFMR0wGwYDVQQLExREb21h
aW4gVmFsaWRhdGlvbiBDQTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYG
A1UEAxMfR2xvYmFsU2lnbiBEb21haW4gVmFsaWRhdGlvbiBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQ...

I'm still confused why it works for IE but not Firefox, but this doesn't seem to be the right venue for that discussion in detail. I did try to find out what was going on, but obviously didn't get the right reference. Can you post a URL for an explanation focusing on the specific problem you referenced?

With regards to getting it fixed by NTTPC, I really have to wish you luck. My experiences with them have convinced me that they are awesomely incompetent. For example, they're servers have been set with the wrong time zones for years, though I apparently managed to get it to the attention of the right guy so that they fixed it this week.

Hi Shannon,

Here is a page that discusses intermediate certificates a bit:

    http://support.discountasp.net/KB/a134/ssl-certificates-intermediate-certificates-browser.aspx

I can't find a better treatment at the moment, but if I understand Steve correctly, it likely comes down to how IE can work around a broken SSL "chain of trust" setup by making use of the X.509 AIA (Authority Information Access) extension (covered in RFC3280) and fetching the missing intermediate certificates itself. Whereas Firefox says, "Fix your damn site, I'm not going to do your work for you" :-)

Steve, thank you for commenting here. This does appear to be nothing more than a misconfigured site. Firefox in Jaunty/9.04 can connect to the original adobe.com URL without a hitch, so at least for sites that bother to test with non-IE browsers, GlobalSign's certificates should Just Work(tm).