Dave Pinn wrote:
> Nelson B Bolyard wrote:
> ...
>> 1) use modutil to get a listing of all the PKCS#11 modules that have been
>> configured into Thunderbird. If your new laptop's PKCS#11 module is not
>> among them, that's the first thing to fix.
> ...
>
> I downloaded the NSS 3.11 binary build for WINNT5.0 - there were no
> builds for Win XP specifically - and the corresponding NSPR 4.6 binary
> build. When I run modutil -list, I get the following error message:
>
> ERROR: Directory "/.netscape" does not exist.
modutil uses a command line option to tell it the name of the
directory to look in. The option is
-dbdir directoryname
e.g.
-dbdir "c:/documents and settings/me/Application Data/Mozilla/profiles/..."
The default, when no such option is specified, is to look in $HOME/.netscape
where $HOME is the value of the environment variable named HOME.
What you did, creating /.netscape and copying file to there, also works just
fine, and is probably simpler and safer.
> I ran certutil -L, which produced the following output (some lines deleted to
> protect my privacy):
>
> Gatekeeper TYPE 3 CA - eSign Australia CT,C,C
> Gatekeeper Grade 3 Individual CA - eSign Australia CT,C,C
> Gatekeeper Root CA - eSign Australia CT,C,C
>
> What conclusions should I now draw?
from the about output: draw no conclusions about your TPM chip.
You got a listing of the certs in mozilla's own certdb, not the certs in
your TPM. By default, certutil looks only in the "NSS Certificate DB" slot.
To get it to look in another slot, you must tell in which slot to examine.
Try
certutil -L -h all
to get a list of all certs in all slots.
If that still doesn't show them try with the slot name
certutil -L -h "HP ProtectTools Embedded Security Chip"
or try wiht the token name
certutil -L -h "Embedded Security Chip"
Certs from your TPM should show their "nicknames" (a.k.a. "friendly names")
preceeded by the slot name or token name, e.g.
HP ProtectTools Embedded Security Chip: Some Certificate Name
or
Embedded Security Chip: Some Certificate Name
You might expect to see a line that looks something like this:
Embedded Security Chip:TPM Certificate u,u,
Those comma-separated letters at the end of the line tell you things
about the certificate. If the PKCS#11 module has made the private key
available to NSS, the letter "u" will show up in that string 1-3 times.
If it doesn't, then the PKCS#11 module is not presenting the private key
to mozilla in a way that enables mozilla to associated the private key
with the certificate (or perhaps not at all).
If your certutil output lists any such certs, then try a command like:
certutil -L -n "Embedded Security Chip:Some Certificate name"
(using whatever name you get from the certutil -L command, and not
the example name I showed above. Be sure to use the quotation marks.)
That should show you the entire certificate, as mozilla will see it.
/Nelson
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
