Re: How do I set the default Certificate?
Hi, tom glaab wrote: Julien Pierre [EMAIL PROTECTED] wrote In truth, most people do not have more than one valid cert per issuer with a different subject, much less more than one valid cert for more than one issuer. I'm in the minority then, and it is annoying. I've had a corporate cert for years, and it includes an email cert. Now a mandate has come down for everybody to get an identity-only cert from the same corporate CA, even if you already have one. Normally, this is acomplished not by changing the subject of the certificate, but by changing the keyusage. Changing the subject does not make sense if the two certs belong to the same person and are from the same issuer. This tells me your PKI is not implemented correctly. For example, I have two corporate certs, one which is for encryption and another for signing. The subject of both certificates is identical. The signing certificate is used for identification purposes. You can see them both in the signature of this message. I do find it annoying. While it's probably rare to find a person with multiple certs from the same CA I can see it happening more often... a single user may have his normal identity cert but also have a privileged or administrative cert. This probably shows more about the corporation's ignorance of PKI, but that's another story. Well, there you go ... smime.p7s Description: S/MIME Cryptographic Signature
Re: How do I set the default Certificate?
Julien Pierre [EMAIL PROTECTED] wrote In truth, most people do not have more than one valid cert per issuer with a different subject, much less more than one valid cert for more than one issuer. I'm in the minority then, and it is annoying. I've had a corporate cert for years, and it includes an email cert. Now a mandate has come down for everybody to get an identity-only cert from the same corporate CA, even if you already have one. Therefore, in my opinion, the complexity of that UI would outweigh its benefits. The ask every time setting already allows you to do what you need, at the cost of an extra click at connection time as you get prompted. I do find it annoying. While it's probably rare to find a person with multiple certs from the same CA I can see it happening more often... a single user may have his normal identity cert but also have a privileged or administrative cert. This probably shows more about the corporation's ignorance of PKI, but that's another story. Another suggestion : if you never use the other (non-default) certificate, you may as well delete it from your cert database, I'm trying to find out if the new cert is really required, or if the old cert is close enough. To further complicate things the non-default cert is the one I use most often. Unfortunately I'm having trouble getting the Citrix ICA plugin working on Mozilla to test all this, but that's another story :-) tg.
Re: How do I set the default Certificate?
All my certs are current and issued by the same CA. The subject is different, though not by much (basically a firstname.lastname.serial). The reason I have multiple certs from the same CA is political, and the older, primary cert has more functionality but I have to keep the new one for a server that will be stood up soon. So we're back to the problem that I have multiple valid certs, but I prefer to use something other than Mozilla's default selection. If this isn't possible now I'll enter it in Bugzilla; I didn't want to do that unless someone can provide a reason why it's not that way now. thanks, tg. Julien Pierre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... tom glaab wrote: I have various client SSL certificates stored in my Netscape/Mozilla browser. Unfortunately Mozilla always defaults to the newest (by date), not the one I use most often. Is there a way to force Mozilla to use the other cert by default? thanks, tg. Do those certificates have the same subject or not ? If so, Mozilla will indeed choose the newest cert. If your PKI is implemented properly, only one cert should be valid at any time, and any old certs should be revoked by the CA. This is why Mozilla won't try to use the old certs. If on the other hand the certs have different subjects, they should also have different nicknames, and you can select the one you want to use. Go to Edit/Preferences/Certificates and click on Ask every time. You will then be presented with a list of certificates to choose from when you connect to an SSL server that requires a client cert. Do note however that in current versions of the SSL/TLS protocols, the server dictates which cert issuers (CAs) it will accept, and therefore not all your certificates will show up in the drop-down list, but rather only the ones that have been issued by CAs deemed acceptable by the server.
Re: How do I set the default Certificate?
Tom, tom glaab wrote: All my certs are current and issued by the same CA. The subject is different, though not by much (basically a firstname.lastname.serial). The reason I have multiple certs from the same CA is political, and the older, primary cert has more functionality but I have to keep the new one for a server that will be stood up soon. So we're back to the problem that I have multiple valid certs, but I prefer to use something other than Mozilla's default selection. Since your certs have distinct subjects (it doesn't matter how little the difference is), they will have different nicknames. You can choose which cert to use. Select ask every time in the manner indicated in the previous message. You will then be prompted with a dialog which will contain the list of valid certs, and you will be able to pick the one you want. It is true that there is no way to override the automatic selection with your own cert. However, the automatic selection is a dynamic process, as I mentioned previously. It is dependent upon the acceptable CA certs of particular servers. If you have multiple certs from different issuers (as for example, I do), then a default cert is meaningless. To take a concrete example : I have a cert from Thawte and a corporate cert. Which one do I set as default ? Corporate sites will require the corporate cert, and other certs from Thawte may require the Thawte cert. The corporate cert is never acceptable to the Thawte servers, and vice versa. A default only makes sense when there is ambiguity, ie. you have two certs from the same issuer. There would have to be one default cert per issuer, rather than a global setting for the default cert. Or perhaps you would set a priority list of acceptable certs, that would be combined with the acceptable CAs when you connect to an SSL server. In either case, this would make a very complex and confusing UI. In truth, most people do not have more than one valid cert per issuer with a different subject, much less more than one valid cert for more than one issuer. Therefore, in my opinion, the complexity of that UI would outweigh its benefits. The ask every time setting already allows you to do what you need, at the cost of an extra click at connection time as you get prompted. Another suggestion : if you never use the other (non-default) certificate, you may as well delete it from your cert database, and Mozilla will then automatically make the right choice of certificate since there will be no ambiguity.
