On Friday, November 23, 2018 at 12:02:57 PM UTC+1, Kai Engert wrote:
...
>
> How did you learn that TB refused it?
>
> In account settings, security tab (not openpgp security tab), if you
> click a select button, does TB offer you to use that certificate?
>
The usual way: Set one of the above mentioned email addresses in TB account
settings, then choose S/MIME settings, choose Select and dialog appears:
Zertifikateverwaltung kann kein gültiges Zertifikat finden, das verwendet
werden kann, um Ihre Nachrichten mit der Adresse <myuid>@<companydomain>
digital zu unterschreiben.
(sorry for german, my current locale is set to DE.)
same happens with <myemailname>@<companydomain>.
> If it isn't offered, your certificate doesn't have the properties that
> TB expects. It would be helpful to see a full dump of the properties of
> your certificate. Does it include a certificate key usage extension that
> allows both digital signature and data encipherment?
>
That is exactly what I am looking for: Where are the certificate requirements
specified other than in TB source code? I then would like to instruct our PKI
to add/change missing extensions, fields, or anticipated X500 name formats.
I general: that is one of the big shortcomings of PKI, that any software is
free to define what part and how they accept the standards, see Chrome's
subjectAlternativeName requirement for hostnames in server certs. While MS
Outlook accepts it, TB doesn't. Not much of a help when promoting PKI company
wide using multiple OS platforms.
Regards
Martin
$ openssl x509 -in <cert> -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:00:00:3c:54:95:ad:db:bc:c1:71:d6:08:00:00:00:00:3c:54
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = com, DC = <companydomain>, CN = <companycaname>
Validity
Not Before: Nov 22 11:30:54 2018 GMT
Not After : Nov 21 11:30:54 2020 GMT
Subject: CN = <myuid>@<companydomain>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:8b:e3:76:af:14:8d:f3:eb:8c:22:53:25:af:
de:ca:a6:8e:0d:87:80:1a:54:41:ad:1e:85:d6:96:
25:c4:3e:de:f3:44:4c:47:44:43:cc:44:ba:c4:a6:
ae:c6:85:19:6a:79:a7:eb:24:c5:a4:72:88:d0:cf:
b9:c0:94:e1:ec:0b:a9:ab:80:a2:1f:0f:30:72:4e:
4f:bb:dd:d5:90:b3:81:2d:37:dd:98:a6:4d:a5:6b:
11:6a:52:05:37:a5:83:20:94:53:52:ee:02:10:79:
8c:e8:1f:ce:c4:dd:44:53:c6:2d:41:57:24:7a:18:
44:31:21:13:ef:17:45:d3:73:c7:f9:0d:bc:f0:71:
ec:7a:54:ce:ba:78:08:93:78:32:31:cb:f4:af:8b:
02:4a:69:fe:83:69:14:ee:f5:dd:6c:2e:b1:df:56:
a6:77:1c:ca:38:29:62:f4:a8:af:78:7c:a4:75:33:
2f:4f:9d:1c:ac:20:ae:f1:6b:e1:a3:02:8d:d5:a9:
b2:10:b6:3e:ea:7e:45:de:10:94:06:92:79:99:40:
41:aa:ca:70:fe:e6:83:bd:39:8f:67:05:5e:80:6d:
8d:20:c2:2b:58:dd:74:69:ee:62:aa:9c:94:01:95:
46:b7:51:89:53:65:91:7c:76:b6:3e:6d:21:06:c7:
b9:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7:
0+.#+.....7.........a...5..R...(....5.)..d...
1.3.6.1.4.1.311.21.10:
0.0
..+.......
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
X509v3 Subject Key Identifier:
EA:CB:7D:C9:38:C9:9A:AF:17:0F:42:74:E5:68:6B:B0:4A:CA:09:49
X509v3 Subject Alternative Name:
DNS:vpn.<companydomain>, DNS:vpn2.<companydomain>,
DNS:vpn-ro.<companydomain>, email:<myemailname>@<companydomain>
X509v3 Authority Key Identifier:
keyid:69:27:1E:8A:1F:66:7B:EB:45:A1:EE:DC:58:C5:FB:15:AD:EC:C0:C8
X509v3 CRL Distribution Points:
Full Name:
<hidden>
<hidden>
Authority Information Access:
CA Issuers - <hidden>
CA Issuers - <hidden>
Signature Algorithm: sha256WithRSAEncryption
52:1c:7e:ff:53:4e:5a:d9:ee:36:08:23:a3:f6:ea:31:9e:cc:
5f:a5:46:9a:f3:39:51:4f:61:48:8e:0c:86:0d:84:95:b7:02:
95:17:2d:a4:f4:0d:37:e6:05:f4:60:1a:d4:71:fd:57:13:88:
71:45:73:12:a5:0e:e8:e5:e3:af:b5:a1:c2:04:86:c7:83:52:
f5:58:65:0c:ea:99:74:dc:25:f3:bb:46:ac:42:d4:d9:cb:4d:
80:2e:f3:1c:73:3f:77:08:b2:b3:0c:0c:3f:c3:9b:db:44:47:
d4:24:37:20:c3:df:67:22:fb:00:e2:85:5d:a2:48:ca:df:a0:
00:d2:ae:0d:d6:54:12:28:1b:cb:64:76:58:27:d6:c0:d9:6e:
d8:70:14:1d:8a:d4:13:ce:ee:24:03:ac:6e:64:5d:1e:9f:ad:
50:c4:09:c0:d5:41:cf:c7:2d:6a:f5:d6:96:df:cb:ae:66:a9:
63:24:f3:98:ea:30:d0:11:21:0b:24:d5:f3:72:fd:bc:96:73:
32:ed:fd:63:bc:9c:4e:3a:2f:64:57:7c:d6:51:12:d0:ed:ca:
52:b0:69:93:f3:a1:ba:58:97:ab:d9:42:2d:27:e7:f6:38:e9:
e9:0d:89:54:c3:4d:2f:62:cf:f8:29:d3:f2:92:a6:5a:ec:05:
98:5a:b4:a7
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
