Larry J. Riffle wrote:
>
>
> Kai Engert wrote:
> > Usually, when you import a certificate into Mozilla, each certificate
> > will get assigned a unique "nickname". The cert stored in the internal
> > database will remember the association from actual cert to nickname.
> >
> > The configuration in mail remembers the cert nickname.
>
> I have tried setting the "-name" flag on openssl pkcs12 before importing
> and the "-setalias" flag on openssl x509 when signing. Even when they
> are unique my selections keep getting changed.
>
> ...or perhaps nickname means something else I'm not aware of?
>
> >
> > If you are testing and doing trial and error, I guess you are playing
> > with your own CA and generating your own certs.
>
> An intermediate CA from CREN actually.
>
> >
> > Make sure you don't confuse Mozilla by re-using the same certificate
> > serial numbers. Mozilla's crypto library NSS uses the pair
> > {issuer,serial number} to uniquely identify a cert. If you reuse serial
> > numbers, you pretty much confuse Mozilla.
>
> No, I understand that. Serial numbers are all unique.
>
> >
> > If you ensure that, Mozilla should be clever enough to remember which
> > exact certificate you have selected for email configuration and to
> > automatically switch to a different one.
>
> Its starting to seem to me like when Mozilla has multiple certs with key
> usage keyEncipherment and the same email address, both in the subject
> and subjectAltname, the newest one replaces my selected encryption cert
> and becomes the only one in the selection list until I delete it.
> Likewise, if key usage is digitalSigning it becomes the email signing
> cert and the only choice.
Could you confirm the following?
Up to now I believe you only spoke about the contents of the list when
configuring the cert in email preferences. You say only one cert for
your nickname is shown, and you suspect only the latest one is shown.
Only the latest one would be shown, if your older other certs have
already become invalid,
- possibly because you have loaded a CRL with the older certs revoked
- you are using OCSP and the older certs have already been revoked.
If that is not true, then please have a look at certificate manager in
edit/prefs/privacy/certs/manage.
You say you expect multiple certs in your database. If that is indeed
the case, then cert manager should list all of them in the "Your
Certificates" tab. Can you confirm?
Assuming you indeed have multiple certs, let's confirm whether Mozilla
has assigned different nicknames to each of them.
You can view the nickname by using the "view" button. The title line of
the dialog that opens shows the nickname.
Is the nickname unique for each of your certs?
Kai
