On Wednesday, 31 January 2018 06:43:19 CET John Jiang wrote:
> In order to describing my point clearly, please consider the below simple
> example.
> 
> 1. Two certificates with same subject (CN=www.example.com) and different
> nicknames (respectively, example1 and example2). Both of them are in PKCS12
> format.
> 
> 2. Import the certificates to an existing database
> $ pk12util -i example1.p12 -d sql:exampledb -W 'example1pass'
> pk12util: PKCS12 IMPORT SUCCESSFU
> $ pk12util -i example2.p12 -d sql:exampledb -W 'example2pass'
> pk12util: PKCS12 IMPORT SUCCESSFU
> 
> 3. List the certificates
> $ certutil -d sql:exampledb -L
> Certificate Nickname                                         Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> example1
>                                         u,u,u
> example1
>                                            u,u,u
> Only nickname "example1" is listed.
> 
> 4. Display certificate example1
> $ certutil -d sql:exampledb -L -n example1
> Here, in deed, certificate example2 is displayed.
>
> It looks a bug.

This is expected and is an artefact of the way NSS stores certificates in the 
database. Since a newer certificate will be used when requested by 
application, it should not cause any problems.

> Best regards,
> John Jiang
> 
> 2018-01-31 13:07 GMT+08:00 John Jiang <john.sha.ji...@gmail.com>:
> > Hi,
> > I'm using NSS 3.35.
> > 
> > With my testing, it is not allowed to import multiple certificates with
> > same subject and different nicknames to a certificate database via
> > pk12util. I just want to confirm this point.
> > 
> > Best regards,
> > John Jiang


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to