Mike McIntosh wrote: > Ian, that is the problem. > > In fact, when I built the sources and debugged it I found it was failing in > pkcs11.c (pk11_searchCerts, line 3980) checking the trust flags for > CERTDB_USER. > > I got this (temporary) test certificate from verisign and installed it using > certutil tool. It's type is "Trusted Client CA". I notice the comment in the > code that "we are only interested in permanment user certs here". Can I not > use this for testing?. > > Thanks, > Mike
If the private key is stored in your database, you can. When you used certutil to import it, it was imported as a non-user cert. You can fix this by explicitly setting the user bits (u,u,u) on the cert with the change trust flags. If you do not have the private key in your database, you cannot look up the cert with the PK11_FindCertByNickname call because the internal token only exports user certs in NSS 3.3 or earlier. That is not an issue in NSS 3.4. > > > > "Ian McGreer" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED].; > >>Mike McIntosh wrote: >> >>>Hi, >>> >>>I am trying to use nss to provide SSL support for our server application >>> > but > >>>I am falling at first hurdle. >>> >>>I used the certutil tool to add a certificate (verisign test >>> > certificate) to > >>>database and this was successful. >>> >>>I have used the sample code sslsample/selfserv as basis for code but I >>> > am > >>>having a problem accessing certificates via PK11_FindCertFromNickname >>> > (even > >>>in the samples). >>> >>>If I do the following :- >>> >>> nicknames = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), >>>SEC_CERT_NICKNAMES_ALL, 0); >>> >>>this works and I can see the certificate nickname is there ok. However, >>> > when > >>>I do :- >>> >>>cert = PK11_FindCertFromNickname(nickname, password); >>> >>>it returns NULL. >>> >>>I suspect it may be related to the password callback function which is >>> > never > >>>being called. Is this normal? >>> >>You shouldn't need the password for locating a certificate. What is the >>trust of your cert? Are you sure it is a user cert (that is, you have >>the key for it in the same profile)? >> >>-Ian >> >> >> > >
