Dave Pinn wrote: >> or try wiht the token name >> certutil -L -h "Embedded Security Chip" > > X:\ThunderbirdProfile>certutil -L -h "Embedded Security Chip" -d . > Enter Password or Pin for "Embedded Security Chip": > > X:\ThunderbirdProfile> > > That cannot be good, and Yes, I'm sure that I got the password right.
OK. The fact that it prompted you for a password indicates that you did talk to the PKCS#11 module. It suggests that a) the PKCS#11 module is not making the certificate available, or b) the certificate cannot be parsed by NSS for some reason, or c) some other problem with the PKCS#11 module. There are more tools, including one that will go right down into the PKSC#11 module and examine the actual bits of its responses. But this is a debugging tool, designed to help the writers of PKCS#11 modules debug their modules. Even if you found something this way, you couldn't fix it (unless you're a developer of that PKCS#11 module or have source code for it). I think this is the point at which it is reasonable for you to ask your laptop maker to support their product. Ask 'em if they tested with any mozilla browser or email products. If you can get the complete binary certificate out of the thing, and can send me the certificate, I can examine that. That's about all that we haven't done that's reasonable to do, at this point, IMO. I wonder if they put the certificate into (say) windows certificate store rather than into the TPM. Perhaps all they put into the TPM is the private key? -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto