On Wednesday, 31 January 2018 06:43:19 CET John Jiang wrote: > In order to describing my point clearly, please consider the below simple > example. > > 1. Two certificates with same subject (CN=www.example.com) and different > nicknames (respectively, example1 and example2). Both of them are in PKCS12 > format. > > 2. Import the certificates to an existing database > $ pk12util -i example1.p12 -d sql:exampledb -W 'example1pass' > pk12util: PKCS12 IMPORT SUCCESSFU > $ pk12util -i example2.p12 -d sql:exampledb -W 'example2pass' > pk12util: PKCS12 IMPORT SUCCESSFU > > 3. List the certificates > $ certutil -d sql:exampledb -L > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > example1 > u,u,u > example1 > u,u,u > Only nickname "example1" is listed. > > 4. Display certificate example1 > $ certutil -d sql:exampledb -L -n example1 > Here, in deed, certificate example2 is displayed. > > It looks a bug.
This is expected and is an artefact of the way NSS stores certificates in the database. Since a newer certificate will be used when requested by application, it should not cause any problems. > Best regards, > John Jiang > > 2018-01-31 13:07 GMT+08:00 John Jiang <john.sha.ji...@gmail.com>: > > Hi, > > I'm using NSS 3.35. > > > > With my testing, it is not allowed to import multiple certificates with > > same subject and different nicknames to a certificate database via > > pk12util. I just want to confirm this point. > > > > Best regards, > > John Jiang -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto