Re: [Pki-devel] [PATCH] 0069 Import certs as DER-encoded X.509 in Chrome
On Thu, Feb 11, 2016 at 09:58:17PM -0600, Endi Sukma Dewata wrote:
On 1/12/2016 7:37 PM, Fraser Tweedale wrote:
>The attached patch fixes certificate import in Chrome.
>https://fedorahosted.org/pki/ticket/1245#comment:5
>
>Thanks,
>Fraser
If I understand it correctly, the importCAChain=false means that the server
will return only the leaf certificate in DER format instead of the entire
certificate chain in PKCS #7 format. Does this mean the certificate chain
will have to be imported separately, and how?
That is correct. Chrome apparently does not support chain import
(only a single cert can be imported). Requires more investigation
as to how to import intermediaries. I might file a separate ticket
for that, or OTOH I can withdraw this patch until a "proper" fix can
be found (if there is one).
Cheers,
Fraser