Dave, I can help you write a patch to fix this problem.
The "(-8157) Certificate extension not found" part in the error message: org.mozilla.jss.crypto.NoSuchItemOnTokenException: Expected user cert but no matching key?: (-8157) Certificate extension not found is most likely wrong (a stale error code). Please try to track that down and fix it. I would go with adding an importNonUserCertPackage method, or add a new method that exposes both the boolean noUser and boolean leafIsCA parameters of the native method importCertPackageNative. Note: importCertPackage is documented to detect and handle user certificates automatically, so ideally we should try to make it work as documented. This may require adding a new native method to do that. To avoid duplicating too much code, some refactoring of the existing native method importCertPackageNative would be necessary. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto