Dave Pinn wrote: > Nelson B Bolyard wrote: > ... >> 1) use modutil to get a listing of all the PKCS#11 modules that have been >> configured into Thunderbird. If your new laptop's PKCS#11 module is not >> among them, that's the first thing to fix. > ... > > I downloaded the NSS 3.11 binary build for WINNT5.0 - there were no > builds for Win XP specifically - and the corresponding NSPR 4.6 binary > build. When I run modutil -list, I get the following error message: > > ERROR: Directory "/.netscape" does not exist.
modutil uses a command line option to tell it the name of the directory to look in. The option is -dbdir directoryname e.g. -dbdir "c:/documents and settings/me/Application Data/Mozilla/profiles/..." The default, when no such option is specified, is to look in $HOME/.netscape where $HOME is the value of the environment variable named HOME. What you did, creating /.netscape and copying file to there, also works just fine, and is probably simpler and safer. > I ran certutil -L, which produced the following output (some lines deleted to > protect my privacy): > > Gatekeeper TYPE 3 CA - eSign Australia CT,C,C > Gatekeeper Grade 3 Individual CA - eSign Australia CT,C,C > Gatekeeper Root CA - eSign Australia CT,C,C > > What conclusions should I now draw? from the about output: draw no conclusions about your TPM chip. You got a listing of the certs in mozilla's own certdb, not the certs in your TPM. By default, certutil looks only in the "NSS Certificate DB" slot. To get it to look in another slot, you must tell in which slot to examine. Try certutil -L -h all to get a list of all certs in all slots. If that still doesn't show them try with the slot name certutil -L -h "HP ProtectTools Embedded Security Chip" or try wiht the token name certutil -L -h "Embedded Security Chip" Certs from your TPM should show their "nicknames" (a.k.a. "friendly names") preceeded by the slot name or token name, e.g. HP ProtectTools Embedded Security Chip: Some Certificate Name or Embedded Security Chip: Some Certificate Name You might expect to see a line that looks something like this: Embedded Security Chip:TPM Certificate u,u, Those comma-separated letters at the end of the line tell you things about the certificate. If the PKCS#11 module has made the private key available to NSS, the letter "u" will show up in that string 1-3 times. If it doesn't, then the PKCS#11 module is not presenting the private key to mozilla in a way that enables mozilla to associated the private key with the certificate (or perhaps not at all). If your certutil output lists any such certs, then try a command like: certutil -L -n "Embedded Security Chip:Some Certificate name" (using whatever name you get from the certutil -L command, and not the example name I showed above. Be sure to use the quotation marks.) That should show you the entire certificate, as mozilla will see it. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto