|Subject:||Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem|
|Date:||Wed, 14 Sep 2011 18:46:00 +0200|
|To:||bug-Mozilla-CA [...] rt.cpan.org|
|From:||Tomas Hoger <thoger [...] redhat.com>|
Hi! cacert.pem in the latest Mozilla-CA version (20110904) seems to have been generated with old mk-ca-bundle.pl that is unable to cope with untrusted certificates from certdata.txt. You should really be using current version that is able to skip those CAs that are imported to nss/mozilla bundle flagged as untrusted:Changelog for the 20110904 says: - Remove and distrust DigiNotar seems to refer to: which removes DigiNotar cert, re-adds it and also re-adds all other DigiNotar intermediates that nss/mozilla has as untrusted. th.