Re: email encryption certificate selection keeps changing

Fri, 30 Aug 2002 20:14:03 -0700 


Kai Engert wrote:
 > Usually, when you import a certificate into Mozilla, each certificate
 > will get assigned a unique "nickname". The cert stored in the internal
 > database will remember the association from actual cert to nickname.
 >
 > The configuration in mail remembers the cert nickname.

I have tried setting the "-name" flag on openssl pkcs12 before importing
and the "-setalias" flag on openssl x509 when signing. Even when they 
are unique my selections keep getting changed.

...or perhaps nickname means something else I'm not aware of?

 >
 > If you are testing and doing trial and error, I guess you are playing
 > with your own CA and generating your own certs.

An intermediate CA from CREN actually.

 >
 > Make sure you don't confuse Mozilla by re-using the same certificate
 > serial numbers. Mozilla's crypto library NSS uses the pair
 > {issuer,serial number} to uniquely identify a cert. If you reuse serial
 > numbers, you pretty much confuse Mozilla.

No, I understand that. Serial numbers are all unique.

 >
 > If you ensure that, Mozilla should be clever enough to remember which
 > exact certificate you have selected for email configuration and to
 > automatically switch to a different one.

Its starting to seem to me like when Mozilla has multiple certs with key 
usage keyEncipherment and the same email address, both in the subject 
and subjectAltname, the newest one replaces my selected encryption cert 
and becomes the only one in the selection list until I delete it. 
Likewise, if key usage is digitalSigning it becomes the email signing 
cert and the only choice.

 >
 > Kai
 >
 >
 > Larry Riffle wrote:
 >
 >> I'm involved in a project evaluating PKI for some local applications.
 >> Thus I have several certificates and others are added and deleted
 >> regularly. I'm new to this. Lots of trial and error going on here.
 >>
 >> I have to keep going back and re-selecting my email encryption
 >> certificate. The one I want to use for everyday email keeps getting
 >> replaced by some of my more bizarre test attempts.
 >>
 >> Most of the time the only way I can even get the certificate I want to
 >> show up on the selection list is to delete all the others. Will I have
 >> to use seperate keys for each to keep Mozilla from overriding? I'd
 >> rather not do that.
 >>
 >
 >
 >
 >




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to