Kelsey, DP (David) wrote:
> Ian,
>
> CNRS acts as a "catch-all" CA and therefore signs certs for many different
> namespaces.
> I think GSI ignores anything to do with CA hierarchies so I imagine the
> signing policy of one CA is never checked against another even if it is
> higher up some hierarchy (not 100% sure of that statement).
>
> The best evidence I think is lack of anyone else reporting problems... so I
> suspect it's a configuration issue.
>
> .... Or a CRL out of date?
>
> If are you still having problems I can forward to the CA list, but could do
> with a few more details.
Thanks, it turns out it had to do with the CA chain. The site I was
trying to access had installed the first CA, but not the full CA chain
back to the self-signed CA cert. They only realised this *after* they
told me they had manually installed the first CA, and I assumed they
meant they had installed *all* the CNRS CA certs.
So, back on track.
Ian
"Don't worry, everything is going to be alright."
--
Ian Stokes-Rees [log in to unmask]
Particle Physics, Oxford http://www-pnp.physics.ox.ac.uk/~stokes
|