Neil wrote, On 2008-02-22 03:05:
> Here is what I got to work, loosely based on instructions from Kai Engert:
>
> cvs -d :pserver:[EMAIL PROTECTED]/cvsroot co mozilla/nsprpub
> mozilla/security/nss mozilla/security/coreconf mozilla/security/dbm
> mozilla/dbm
> make -C mozilla/security/nss nss_build_all
>
> Then, in the profile directory run these commands:
>
> certutil -d . -S -n example-ca -s
> CN=ExampleCA,O=ExampleOrg,L=ExampleLoc,ST=ExampleState,C=US -t C,C,C -x -m 0
> -w -3 -v 99 -5
> certutil -d . -S -n user -s
> CN=User,O=ExampleOrg,L=ExampleLoc,ST=ExampleState,C=US -c example-ca -t p,p,p
> -m 40 -v 60 -5
>
> I was then able to create an additional identity for [EMAIL PROTECTED]
> and specify that certificate for signing/encryption.
That user cert you created doesn't have an email address in it.
Consequently, there is no way for the identity configuration code to
automatically identify it as a candidate for the identity.
The code that configures certs for the identity (and presents certs to
the user, if a choice is necessary) should give preference to certs
with an email address that matches the identity's email address.
There are two ways to add an email address to your "user" cert,
the modern standards-compliant way, and the old de-facto standard way.
Modern way:
Add to your command line this additional option:
-7 [EMAIL PROTECTED]
Old way:
Prepend this to your cert subject name (before the CN=)
[EMAIL PROTECTED],
I suggest you try both (in separate certs).
Oh, and one question. Is that "p,p,p" really necessary?
The 'p' override flags should not be necessary. Please try -t ",,".
/Nelson
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
