User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 I am using Certificate Services on windows server 2008 r2. I just renewed the issuing CA certificates and the CRL has a parenthesis "()". Is Firefox having a problem with the ()? I am able to use IE 8 with no errors. I opened a case with Microsoft, they suggest that I contact you since they confirmed there is nothing wrong with certificate. Firefox is having a hard time rendering the parenthesis () in the URL for the crl file. We removed the () and firefox was fine but that is the old CRL for the old CA certificate. Microsoft IE has no problems, but Firefox gives error. Confirmed launching CRL from IE works fine. Looked into the certificate using the command: certutil -verify -urlfetch cert >output.cer: It shows the chaining works good, and has no issues: Leaf certificate revocation check passed CertUtil: -verify command completed successfully. Also if we check the output: It confirms the Chain Hiearchy is met and all the CRL validation passes: Issuer: CN=Dell Inc. Enterprise Issuing CA1, O=Dell Inc. ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://dellincca.dell.com/crl/Dell%20Inc.%20Enterprise%20Issuing%20CA1(1).crt ---------------- Certificate CDP ---------------- Verified "Base CRL (0122)" Time: 0 [0.0] http://dellincca.dell.com/crl/Dell%20Inc.%20Enterprise%20Issuing%20CA1(1).crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Dell Inc. Enterprise CA ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://dellincca.dell.com/crl/Dell%20Inc.%20Enterprise%20CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (10)" Time: 0 [0.0] http://dellincca.dell.com/crl/Dell%20Inc.%20Enterprise%20CA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- We would need to check with Firefox to check why this is happening. Reproducible: Always Steps to Reproduce: 1. http://dellincca.dell.com/crl/Dell%20Inc.%20Enterprise%20Issuing%20CA1(1).crl 2. Error occurs, pop up box that says: The application cannot import the Certificate Revocation List (CRL). Error importing CRL to local Database. Error Code:ffffe00a. Please ask your system administrator for assistance. Actual Results: I am not able to load the page.

I wasn't able to reproduce this problem on Win7 or XP using 3.0.19, 3.5.11, or 3.6.8. I tried a nightly 3.6 build on Win7 and no problem. Where I do see this error is in a 3.6.9pre on Mac.

I received this error on my Win7 using 3.6 and XP using 3.6. What does the error code ffffe00a mean?

I think the error 0xFFFFE00A == -8182 == SEC_ERROR_BAD_SIGNATURE This would indicate that the crl is signed improperly. http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/util/secerr.h#60

When I access the https page, i get error that the certificate is not trusted. That is because the Issuing CA is not in the certificate store. The CA certificate does chain up to GTE CyberTrust Global Root. When I see add the exception, then I can import the CRL with no problems. SO I looked at the AIA up the chain and realized that Dell Inc. Enterprise CA does not contain AIA for the GTE CyberTrust. Do you believe that is causing the problem? How does Firefox validate the chain of trust? With IE it is going into the local certificate store, but I know wht Firefox uses it own.

@ckulick: can you post the https link? I'd like to try loading it and see what happens, perhaps in a debugger. (I didn't see any https links in this bug, just http links).

(In reply to comment #4) > When I access the https page, i get error that the certificate is not trusted. > That is because the Issuing CA is not in the certificate store. The CA > certificate does chain up to GTE CyberTrust Global Root. When I see add the > exception, then I can import the CRL with no problems. SO I looked at the AIA > up the chain and realized that Dell Inc. Enterprise CA does not contain AIA for > the GTE CyberTrust. The copy I've got my hands on (the one in the link you provide above) does indeed have the AIA for the Dell Inc. Enterprise CA, and the chain seems fine. In fact, I removed the Dell CA from my authorities DB and when I attempted to import the first CA (Enterprise Issuing CA(1)) it chains up fine. > Do you believe that is causing the problem? How does > Firefox validate the chain of trust? With IE it is going into the local > certificate store, but I know wht Firefox uses it own. I'm still thinking maybe the crl was signed wrong. Yesterday I was playing with the CRL not the certificate, but I just tried importing the CRL again, and I don't get the error. Did the CRL change? I tried this yesterday in the same browser on the same computer and was able to recreate the error you mentioned, but today it works fine on 4.0b2 and 3.6.8 on Mac. Juan: can you re-verify on windows?

The CRL for Dell Inc. Enterprise Issuing CA1 is new, but Microsoft confirmed there is nothing wrong with the file. I get the error the first time I access the CRL. If I add exception for the certificate, the CRL will load fine.

Bug 867465 removed support for CRLs in the UI, and support for importing CRLs. => INVALID.