NSS PKINIT requires nsCertType extension?

Greg Hudson ghudson at mit.edu
Wed Feb 1 11:07:06 EST 2017

On 01/31/2017 10:09 AM, Matt Rogers wrote:
> It turns out NSS is expecting the Netscape
> certificate type extension (nsCertType = client/server in
> openssl.cnf), and adding it to the test certificates made the tests
> pass. Is this expected, or documented anywhere?

I remember NSS having some behavior differences which made NSS PKINIT
not a drop-in for the OpenSSL implementation, but I don't remember if
this was one Nalin had discussed.  I went back and looked at the
conversation on krbdev in September and October 2011 when we merged it,
but there wasn't any discussion of behavior differences there.

I've actually been meaning to ask if we can remove the NSS PKINIT
implementation, since it was motivated by
which is now defunct.  What led you to try it out?

More information about the krbdev mailing list