Open ivanr opened 10 years ago
Thanks for leaving this open, it answered all my questions save for one and I just answered that myself. That question being, does the presence of this bad certificate break converting the ones listed after it? The answer is no, it doesn't.
This was fixed with https://github.com/golang/go/commit/a0ea93dea5f5741addc8c96b7ed037d0e359e33f and made it into 1.6.
It seems that Go currently doesn't handle certificates with negative serial numbers: https://code.google.com/p/go/issues/detail?id=8265
At present, one of the root certificates in Mozilla's store has a negative serial number. As a result, the output of this tool will not contain all root certificates trusted by Mozilla. Even though this issue is outside the scope of this conversion script, I am submitting this issue so that the problem is documented.
Edit: Sorry, forgot to check previous issues for this problem. I've now seen #3 from 2012. That said, two years later the certificate still remains in Mozilla's root store. I recommend that this issue or #3 are kept open so that others are aware of the problem... until the offending certificate is removed.