As I understand it, certificates in NSS are considered the same if they have the same serial number and issuer. When importing a certificate, NSS checks if it already has a certificate with the same serial number and issuer. If it does but they're not actually identical (e.g. if they have different validity dates), it will return an error.
One thing you could do is delete the old certificate first using nsIX509CertDB.deleteCertificate ( https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIX509CertDB.idl#180 ) Or, depending on how these certificates are used, it might be fine to have the expired one in the database along with the new one, as long as the new one is selected over the old one for whatever you're doing with it. Cheers, David On 11/07/13 23:48, Jean-Philippe Franchini wrote: > Hello, > > Our java application generates certificates with the Bouncy Castle library. > When a certificate C1 imported in Firefox is about to expire, the application > can renew it and creates a certificate C2 based on C1 information. The field > values are the same except the serial number and the security keys. > But when importing C2, C1 is not replaced. > > What are the fields used to compare the imported certificates ? Has C2 to be > the same as C1 but with different validity dates ? > > Regards, > > > [cid:image001.jpg@01CEDC5F.3B9B4B40]<http://www.solware.fr/life/actu/17/solware-life-lance-easybtab.html> > > Jean Philippe FRANCHINI > jfranch...@solware.fr<mailto:jfranch...@solware.fr> > > [cid:image002.jpg@01CEDC5F.3B9B4B40] > > 68 bis chemin du Moulin Carron > 69570 Dardilly - France > www.solware.fr<http://www.solware.fr/> > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto