Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
On 2010-07-21 18:26 PDT, Amax Guan wrote: Thank you very much, this really help alot:) We won't let end-users use that tool, instead, we put it in a installer, and let the installer do the dirty work. btw, Since this certutil.exe is downloaded from microsoft.com I'm a little worried about whether this certutil.exe is the same certutil.exe in NSS? Microsoft's certutil is definitely NOT the same as NSS's. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Fwd: Hi, I have three questions about embed bank CA cert in Firefox
Thank you very much, it's very helpful. I put most of the replies inline. On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham g...@mozilla.org wrote: On 20/07/10 04:23, Amax Guan wrote: I've got a problem help China Construction Bank(CCB for short) support Firefox. CCB has its own CA root, used to issue certificate to his users, and they issued some server cert using this cert. Do you know why they cannot buy a cert from a trusted CA, like every other business (including most banks)? I think basically it's because they have too much Cert to issue (One for each user), it cost too much money, and they do not want anyone else to know how many users they have, and their names, including the CA. Kai mentioned that it's OK to use a untrusted CA signed user certificate in Firefox to sign, But they are not only using this cert in signing, they also use the cert for two-way SSL, and they periodically renew the cert. But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. The server cert I don't know why, but I guess maybe it's because they already have this CA system, they just want to save some money and time? I mean not every cert on their website is signed by themselves, they have verisign certificates on most of their webpages, but on some specific server, they use cert issued by their own CA. The server using their own CA is in the certificate generation process, I wonder is it related to two-way SSL or something? And btw, every bank in China has its own CA System, to generate user certificate. And they want to put their CA Root certificate into Firefox, so that there will be no alert popup in the certificate generate process and no security alert when users access their website. And here comes the questions Can you be more specific about the errors that people who bank with CCB encounter in the certificate generate process? They use keygen tag to generate the user certificate (They need to renew the certificate periodically), and the form is submitted to a cert page with contentType=x509/certificate or something like that. Firefox will automatically save the certificate to where it's corresponding key is, and after that popup an alert saying the cert is download successfully. AND THEN, if the CA of the cert is untrusted, Firefox will pop up another alert talking about Cannot import the certificate, the issuer of the cert is unknown, the cert is invalid or 1. Right now, we are trying to use certutil.exe in their USB-Key driver installer to do that. However, one of my colleague seems to have some problem build the certutil.exe in visual studio 2005. And sometimes, it fails to run on some machine. I tried to find a stable version of that tool through google, but I failed. Is there any stable version of certutil I can download, that will work on most version of windows? Or why is it so hard to build, is there some way to make it better? I don't know the answer to this particular question. Unlucky for me:( Because according to several emails I made yesterday, this way seems to be the most doable and effective way. 2. Since the certutil.exe solution did not went very well, we think maybe we could embed their CA cert in our Firefox China Edition. According to my knowledge, at least half of the population in China are CCB bank users, and cannot access online bank is our major problem in China, so we think this make sense. We can make an addon to do that, but it occurred to us that an addon is so open, that anyone that knows where it is can change the cert, or do something else dangerous. So, is there a better way to put the cert in? Maybe through a binary XPCOM is better? The Mozilla project does not issue copies of Firefox that trust new CAs without those CAs going through the official process, as described below. Even when we do go through the process, people still object - see the CNNIC case. There is absolutely no chance of any official Firefox being released which trusts a cert belonging to another Chinese company, or any company, without it going through the trust checking process. Many of our users in China, as well as those elsewhere, would not like it. CCB may, of course, create their own addon to add the cert (assuming that's technically possible). But all their customers would need to install it individually. It is no more or less dangerous to use an addon than any other method. What is the current procedure for people who bank with CCB who use IE, Safari or Chrome? Do those browsers trust the CCB certificate? CCB only works in IE right now, and online banking sure is our top priority in China now. In IE,there is a concept of trust zone, and in their installer, they put themselves in the trust zone, and put their CA cert in the windows Cert DB through CSP. Btw: They are talking with MS to put their CA root in windows. 3. Is it possible to put the
Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
On 2010-07-21 16:26, Amax Guan wrote: Thank you very much, it's very helpful. I put most of the replies inline. On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham g...@mozilla.org mailto:g...@mozilla.org wrote: On 20/07/10 04:23, Amax Guan wrote: I've got a problem help China Construction Bank(CCB for short) support Firefox. CCB has its own CA root, used to issue certificate to his users, and they issued some server cert using this cert. Do you know why they cannot buy a cert from a trusted CA, like every other business (including most banks)? I think basically it's because they have too much Cert to issue (One for each user), it cost too much money, and they do not want anyone else to know how many users they have, and their names, including the CA. Absolutely. It would be extremely inconvenient also- Kai mentioned that it's OK to use a untrusted CA signed user certificate in Firefox to sign, But they are not only using this cert in signing, they also use the cert for two-way SSL, and they periodically renew the cert. But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. If that's really true I would call it a bug. I guess it is renewal that really is the problem? keygen doesn't support renewals. Few if any end-user banks certificates have their root in browsers. The server cert I don't know why, but I guess maybe it's because they already have this CA system, they just want to save some money and time? I mean not every cert on their website is signed by themselves, they have verisign certificates on most of their webpages, but on some specific server, they use cert issued by their own CA. The server using their own CA is in the certificate generation process, I wonder is it related to two-way SSL or something? And btw, every bank in China has its own CA System, to generate user certificate. Yes, and that is how it should be, SSL certificates is another (hopefully unrelated) topic. Anyway, Chinese banks will some day get a solution in Firefox that actually addresses consumers (rather than cryptographers), but it will take some time to get it out of the door: http://webpki.org/auth-token-4-the-cloud.html Since US banks and Government Agencies do not use certificates for consumers and citizens this is primarily a European/Asian issue and we cannot expect to get any support from Mozilla except maybe a Good luck or so :-) Regards Anders Rundgren And they want to put their CA Root certificate into Firefox, so that there will be no alert popup in the certificate generate process and no security alert when users access their website. And here comes the questions Can you be more specific about the errors that people who bank with CCB encounter in the certificate generate process? They use keygen tag to generate the user certificate (They need to renew the certificate periodically), and the form is submitted to a cert page with contentType=x509/certificate or something like that. Firefox will automatically save the certificate to where it's corresponding key is, and after that popup an alert saying the cert is download successfully. AND THEN, if the CA of the cert is untrusted, Firefox will pop up another alert talking about Cannot import the certificate, the issuer of the cert is unknown, the cert is invalid or 1. Right now, we are trying to use certutil.exe in their USB-Key driver installer to do that. However, one of my colleague seems to have some problem build the certutil.exe in visual studio 2005. And sometimes, it fails to run on some machine. I tried to find a stable version of that tool through google, but I failed. Is there any stable version of certutil I can download, that will work on most version of windows? Or why is it so hard to build, is there some way to make it better? I don't know the answer to this particular question. Unlucky for me:( Because according to several emails I made yesterday, this way seems to be the most doable and effective way. 2. Since the certutil.exe solution did not went very well, we think maybe we could embed their CA cert in our Firefox China Edition. According to my knowledge, at least half of the population in China are CCB bank users, and cannot access online bank is our major problem in China, so we think this make sense. We can make an addon to do that, but it occurred to us that an addon is so open, that anyone that knows where it is can change the cert, or do something else dangerous. So, is there a better way to put the cert in? Maybe through a binary XPCOM is better? The Mozilla project does not issue copies of Firefox that trust new
Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
Hi Anders Thanks for your information. Do you know where I can download a windows binary of certutil.exe? On Wed, Jul 21, 2010 at 11:32 PM, Anders Rundgren anders.rundg...@telia.com wrote: On 2010-07-21 16:26, Amax Guan wrote: Thank you very much, it's very helpful. I put most of the replies inline. On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham g...@mozilla.orgmailto: g...@mozilla.org wrote: On 20/07/10 04:23, Amax Guan wrote: I've got a problem help China Construction Bank(CCB for short) support Firefox. CCB has its own CA root, used to issue certificate to his users, and they issued some server cert using this cert. Do you know why they cannot buy a cert from a trusted CA, like every other business (including most banks)? I think basically it's because they have too much Cert to issue (One for each user), it cost too much money, and they do not want anyone else to know how many users they have, and their names, including the CA. Absolutely. It would be extremely inconvenient also- Kai mentioned that it's OK to use a untrusted CA signed user certificate in Firefox to sign, But they are not only using this cert in signing, they also use the cert for two-way SSL, and they periodically renew the cert. But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. If that's really true I would call it a bug. I guess it is renewal that really is the problem? keygen doesn't support renewals. Few if any end-user banks certificates have their root in browsers. The server cert I don't know why, but I guess maybe it's because they already have this CA system, they just want to save some money and time? I mean not every cert on their website is signed by themselves, they have verisign certificates on most of their webpages, but on some specific server, they use cert issued by their own CA. The server using their own CA is in the certificate generation process, I wonder is it related to two-way SSL or something? And btw, every bank in China has its own CA System, to generate user certificate. Yes, and that is how it should be, SSL certificates is another (hopefully unrelated) topic. Anyway, Chinese banks will some day get a solution in Firefox that actually addresses consumers (rather than cryptographers), but it will take some time to get it out of the door: http://webpki.org/auth-token-4-the-cloud.html Since US banks and Government Agencies do not use certificates for consumers and citizens this is primarily a European/Asian issue and we cannot expect to get any support from Mozilla except maybe a Good luck or so :-) Regards Anders Rundgren And they want to put their CA Root certificate into Firefox, so that there will be no alert popup in the certificate generate process and no security alert when users access their website. And here comes the questions Can you be more specific about the errors that people who bank with CCB encounter in the certificate generate process? They use keygen tag to generate the user certificate (They need to renew the certificate periodically), and the form is submitted to a cert page with contentType=x509/certificate or something like that. Firefox will automatically save the certificate to where it's corresponding key is, and after that popup an alert saying the cert is download successfully. AND THEN, if the CA of the cert is untrusted, Firefox will pop up another alert talking about Cannot import the certificate, the issuer of the cert is unknown, the cert is invalid or 1. Right now, we are trying to use certutil.exe in their USB-Key driver installer to do that. However, one of my colleague seems to have some problem build the certutil.exe in visual studio 2005. And sometimes, it fails to run on some machine. I tried to find a stable version of that tool through google, but I failed. Is there any stable version of certutil I can download, that will work on most version of windows? Or why is it so hard to build, is there some way to make it better? I don't know the answer to this particular question. Unlucky for me:( Because according to several emails I made yesterday, this way seems to be the most doable and effective way. 2. Since the certutil.exe solution did not went very well, we think maybe we could embed their CA cert in our Firefox China Edition. According to my knowledge, at least half of the population in China are CCB bank users, and cannot access online bank is our major problem in China, so we think this make sense. We can make an addon to do that, but it occurred to us that an addon is so open, that anyone that knows where it
Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
On 2010-07-21 17:57, Amax Guan wrote: Hi Anders Thanks for your information. Do you know where I can download a windows binary of certutil.exe? Hi Amax, Try this SDK which is supposed to contain certutil.exe as well: http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6displaylang=en But I can't imagine end-users dealing with such a horrible tool. This is for *cryptopgraphers* only. Making a Chinese Firefox distribution should be a more workable solution. Anders On Wed, Jul 21, 2010 at 11:32 PM, Anders Rundgren anders.rundg...@telia.com mailto:anders.rundg...@telia.com wrote: On 2010-07-21 16:26, Amax Guan wrote: Thank you very much, it's very helpful. I put most of the replies inline. On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham g...@mozilla.org mailto:g...@mozilla.org mailto:g...@mozilla.org mailto:g...@mozilla.org wrote: On 20/07/10 04:23, Amax Guan wrote: I've got a problem help China Construction Bank(CCB for short) support Firefox. CCB has its own CA root, used to issue certificate to his users, and they issued some server cert using this cert. Do you know why they cannot buy a cert from a trusted CA, like every other business (including most banks)? I think basically it's because they have too much Cert to issue (One for each user), it cost too much money, and they do not want anyone else to know how many users they have, and their names, including the CA. Absolutely. It would be extremely inconvenient also- Kai mentioned that it's OK to use a untrusted CA signed user certificate in Firefox to sign, But they are not only using this cert in signing, they also use the cert for two-way SSL, and they periodically renew the cert. But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. If that's really true I would call it a bug. I guess it is renewal that really is the problem? keygen doesn't support renewals. Few if any end-user banks certificates have their root in browsers. The server cert I don't know why, but I guess maybe it's because they already have this CA system, they just want to save some money and time? I mean not every cert on their website is signed by themselves, they have verisign certificates on most of their webpages, but on some specific server, they use cert issued by their own CA. The server using their own CA is in the certificate generation process, I wonder is it related to two-way SSL or something? And btw, every bank in China has its own CA System, to generate user certificate. Yes, and that is how it should be, SSL certificates is another (hopefully unrelated) topic. Anyway, Chinese banks will some day get a solution in Firefox that actually addresses consumers (rather than cryptographers), but it will take some time to get it out of the door: http://webpki.org/auth-token-4-the-cloud.html Since US banks and Government Agencies do not use certificates for consumers and citizens this is primarily a European/Asian issue and we cannot expect to get any support from Mozilla except maybe a Good luck or so :-) Regards Anders Rundgren And they want to put their CA Root certificate into Firefox, so that there will be no alert popup in the certificate generate process and no security alert when users access their website. And here comes the questions Can you be more specific about the errors that people who bank with CCB encounter in the certificate generate process? They use keygen tag to generate the user certificate (They need to renew the certificate periodically), and the form is submitted to a cert page with contentType=x509/certificate or something like that. Firefox will automatically save the certificate to where it's corresponding key is, and after that popup an alert saying the cert is download successfully. AND THEN, if the CA of the cert is untrusted, Firefox will pop up another alert talking about Cannot import the certificate, the issuer of the cert is unknown, the cert is invalid or 1. Right now, we are trying to use certutil.exe in their USB-Key driver installer to do that. However, one of my colleague seems to have some problem build the certutil.exe in visual studio 2005. And sometimes, it fails to run on some machine. I tried to find a stable version of that tool through google, but I failed. Is there any stable version of certutil I can download, that will work on most version of
Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
Hi, The server using their own CA is in the certificate generation process, I wonder is it related to two-way SSL or something? If they use the web based solution to enroll certificates from CA, which is quite widely used, then why not to distribute the CA public certificate by the same page to import it into browsers before the enrollment process (done once only). From the development point of view can be done with a simple servlet returning serialized encoded X509Certificate (of CA) in an response stream. For Firefox case, when the content type of application/x-x509- ca-cert is set then the import starts automatically, showing the FF dialog box for confirmation and trust settings. Short user help in a few steps on the same page should do to deal with the process, which is definitely less complicated than enrollment. A good practice is also to protect such a page with Extended Validation SSL from some authority like: http://www.verisign.com/ssl/ssl-information-center/extended-validation-ssl-certificates/ Greetings, Waldek -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
On 21/07/10 07:26, Amax Guan wrote: I think basically it's because they have too much Cert to issue (One for each user), it cost too much money, and they do not want anyone else to know how many users they have, and their names, including the CA. Right. I am not suggesting that they get client certs from Verisign, I am suggesting they get their server cert from Verisign. There is no need for their server SSL cert to use the same CA as their client certs (at least; I don't think so - I'm open to being corrected). But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. Can some NSS or PSM hacker explain why this is? Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
-Original Message- From: dev-tech-crypto-bounces+ryan- mozdevtechcrypto=sleevi@lists.mozilla.org [mailto:dev-tech-crypto- bounces+ryan-mozdevtechcrypto=sleevi@lists.mozilla.org] On Behalf Of Gervase Markham Sent: Wednesday, July 21, 2010 1:22 PM To: dev-tech-crypto@lists.mozilla.org Cc: Amax Guan Subject: Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox On 21/07/10 07:26, Amax Guan wrote: But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. Can some NSS or PSM hacker explain why this is? Gerv While neither an NSS nor PSM hacker, the implementation details (in moz-central) are at [1] If any certs beyond the user cert are supplied, then ImportValidCACerts() is called. The certificates are all imported as temporary certificates, then each certificate is tested to see if a chain can be built [2]. The simple way to work around this would be to only supply the user's certificate in the application/x-x509-user-cert (since the user's cert is not placed through this verification logic) OR, first supply (and have the user install) the CA certificate of the issuing authority using the previously recommended application/x-x509-ca-cert. As for a good answer why, I can only speculate, but I suspect some code paths would be affected by blindly importing certificates without first vetting their chain. eg, a malicious party could supply a certificate that appeared to be the same as a valid intermediate CA certificate (except that the signature was wrong, naturally). If that certificate ended up being selected during chain building/locating by subject/etc (pre-libpkix/STAN), then it would cause connections using that intermediate to fail (a DoS). Actually, a little CVS blame digging, and it turns out this is the case. See [3] [1] http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSS CertificateDB.cpp#885 [2] http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSS CertificateDB.cpp#772 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=249004 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
On 2010-07-21 10:50 PDT, Ryan Sleevi wrote, quoting Gervase Markham: On 21/07/10 07:26, Amax Guan wrote: But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. Can some NSS or PSM hacker explain why this is? Gerv While neither an NSS nor PSM hacker, Considering the excellent job you did with the research below, I do hereby pronounce you to be an official PSM hacker! the implementation details (in moz-central) are at [1] If any certs beyond the user cert are supplied, then ImportValidCACerts() is called. The certificates are all imported as temporary certificates, then each certificate is tested to see if a chain can be built [2]. The simple way to work around this would be to only supply the user's certificate in the application/x-x509-user-cert (since the user's cert is not placed through this verification logic) OR, first supply (and have the user install) the CA certificate of the issuing authority using the previously recommended application/x-x509-ca-cert. Exactly the advice I was going to give. This is as intended. The user's own cert may be imported without any restriction. It is not required to chain to any known authority. But authority certs, in general, and certs for other than the user's own, are required to chain to known authorities, lest they be used for attacks. The Chinese Bank should be able to merely download just the user's cert to the browser, and then when requesting client auth, request it using the name of the issuer of the client's cert. The browser will then send just the client's cert, which the bank will be able to validate by supplying the rest of the chain itself. This is all S.O.P. As for a good answer why, I can only speculate, but I suspect some code paths would be affected by blindly importing certificates without first vetting their chain. eg, a malicious party could supply a certificate that appeared to be the same as a valid intermediate CA certificate (except that the signature was wrong, naturally). If that certificate ended up being selected during chain building/locating by subject/etc (pre-libpkix/STAN), then it would cause connections using that intermediate to fail (a DoS). Actually, a little CVS blame digging, and it turns out this is the case. See [3] [1] http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSS CertificateDB.cpp#885 [2] http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSS CertificateDB.cpp#772 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=249004 -- /Nelson Bolyard bnbsp;/b 12345678901234567890123456789012345678901234567890123456789012345678901234567890 0112233445566778 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox
Hi Anders Thank you very much, this really help alot:) We won't let end-users use that tool, instead, we put it in a installer, and let the installer do the dirty work. btw, Since this certutil.exe is downloaded from microsoft.com, I'm a little worried about whether this certutil.exe is the same certutil.exe in NSS? On Thu, Jul 22, 2010 at 12:14 AM, Anders Rundgren anders.rundg...@telia.com wrote: On 2010-07-21 17:57, Amax Guan wrote: Hi Anders Thanks for your information. Do you know where I can download a windows binary of certutil.exe? Hi Amax, Try this SDK which is supposed to contain certutil.exe as well: http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6displaylang=en But I can't imagine end-users dealing with such a horrible tool. This is for *cryptopgraphers* only. Making a Chinese Firefox distribution should be a more workable solution. Anders On Wed, Jul 21, 2010 at 11:32 PM, Anders Rundgren anders.rundg...@telia.com mailto:anders.rundg...@telia.com wrote: On 2010-07-21 16:26, Amax Guan wrote: Thank you very much, it's very helpful. I put most of the replies inline. On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham g...@mozilla.orgmailto: g...@mozilla.org mailto:g...@mozilla.org mailto:g...@mozilla.org wrote: On 20/07/10 04:23, Amax Guan wrote: I've got a problem help China Construction Bank(CCB for short) support Firefox. CCB has its own CA root, used to issue certificate to his users, and they issued some server cert using this cert. Do you know why they cannot buy a cert from a trusted CA, like every other business (including most banks)? I think basically it's because they have too much Cert to issue (One for each user), it cost too much money, and they do not want anyone else to know how many users they have, and their names, including the CA. Absolutely. It would be extremely inconvenient also- Kai mentioned that it's OK to use a untrusted CA signed user certificate in Firefox to sign, But they are not only using this cert in signing, they also use the cert for two-way SSL, and they periodically renew the cert. But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. If that's really true I would call it a bug. I guess it is renewal that really is the problem? keygen doesn't support renewals. Few if any end-user banks certificates have their root in browsers. The server cert I don't know why, but I guess maybe it's because they already have this CA system, they just want to save some money and time? I mean not every cert on their website is signed by themselves, they have verisign certificates on most of their webpages, but on some specific server, they use cert issued by their own CA. The server using their own CA is in the certificate generation process, I wonder is it related to two-way SSL or something? And btw, every bank in China has its own CA System, to generate user certificate. Yes, and that is how it should be, SSL certificates is another (hopefully unrelated) topic. Anyway, Chinese banks will some day get a solution in Firefox that actually addresses consumers (rather than cryptographers), but it will take some time to get it out of the door: http://webpki.org/auth-token-4-the-cloud.html Since US banks and Government Agencies do not use certificates for consumers and citizens this is primarily a European/Asian issue and we cannot expect to get any support from Mozilla except maybe a Good luck or so :-) Regards Anders Rundgren And they want to put their CA Root certificate into Firefox, so that there will be no alert popup in the certificate generate process and no security alert when users access their website. And here comes the questions Can you be more specific about the errors that people who bank with CCB encounter in the certificate generate process? They use keygen tag to generate the user certificate (They need to renew the certificate periodically), and the form is submitted to a cert page with contentType=x509/certificate or something like that. Firefox will automatically save the certificate to where it's corresponding key is, and after that popup an alert saying the cert is download successfully. AND THEN, if the CA of the cert is untrusted, Firefox will pop up another alert talking about Cannot import the certificate, the issuer of the cert is unknown, the cert is invalid or 1. Right now, we are trying to use