Kai Engert wrote:
> Larry J. Riffle wrote:
>
>>
>>
>> Kai Engert wrote:
>> > Usually, when you import a certificate into Mozilla, each certificate
>> > will get assigned a unique "nickname". The cert stored in the internal
>> > database will remember the association from actual cert to nickname.
>> >
>> > The configuration in mail remembers the cert nickname.
>>
>> I have tried setting the "-name" flag on openssl pkcs12 before importing
>> and the "-setalias" flag on openssl x509 when signing. Even when they
>> are unique my selections keep getting changed.
>>
>> ...or perhaps nickname means something else I'm not aware of?
>>
>> >
>> > If you are testing and doing trial and error, I guess you are playing
>> > with your own CA and generating your own certs.
>>
>> An intermediate CA from CREN actually.
>>
>> >
>> > Make sure you don't confuse Mozilla by re-using the same certificate
>> > serial numbers. Mozilla's crypto library NSS uses the pair
>> > {issuer,serial number} to uniquely identify a cert. If you reuse
>> serial
>> > numbers, you pretty much confuse Mozilla.
>>
>> No, I understand that. Serial numbers are all unique.
>>
>> >
>> > If you ensure that, Mozilla should be clever enough to remember which
>> > exact certificate you have selected for email configuration and to
>> > automatically switch to a different one.
>>
>> Its starting to seem to me like when Mozilla has multiple certs with
>> key usage keyEncipherment and the same email address, both in the
>> subject and subjectAltname, the newest one replaces my selected
>> encryption cert and becomes the only one in the selection list until I
>> delete it. Likewise, if key usage is digitalSigning it becomes the
>> email signing cert and the only choice.
>
>
> Could you confirm the following?
>
> Up to now I believe you only spoke about the contents of the list when
> configuring the cert in email preferences. You say only one cert for
> your nickname is shown, and you suspect only the latest one is shown.
>
> Only the latest one would be shown, if your older other certs have
> already become invalid,All are valid though some have some pretty strange extensions. As I said, I'm new to this. > - possibly because you have loaded a CRL with the older certs revoked PKI-Lite, No CRL's. > - you are using OCSP and the older certs have already been revoked. No OCSP. > > If that is not true, then please have a look at certificate manager in > edit/prefs/privacy/certs/manage. > > You say you expect multiple certs in your database. If that is indeed > the case, then cert manager should list all of them in the "Your > Certificates" tab. Can you confirm? Yes, they are all listed. The trust chains are all complete, none have expired and all seem valid. I can send examples if you like but I think we've hit on the problem below. > > Assuming you indeed have multiple certs, let's confirm whether Mozilla > has assigned different nicknames to each of them. > > You can view the nickname by using the "view" button. The title line of > the dialog that opens shows the nickname. > Is the nickname unique for each of your certs? No, they all are "Imported Certificate". How do I control that? I can't confirm this until I get back to work Tuesday but I think Mozilla 1.1 under Linux RH 7.3 showed the value from "openssl pkcs12 -name" there. I'm on Win2k right now, also Mozilla 1.1, and nothing I do seems to change "Imported Certificate". Obviously that's the source of the ambiguity. Should that correspond to the value of "-name" on "openssl pkcs12"? I really appreciate your help. I have a long learning curve ahead of me and this has me stumped. - Larry > > Kai > > >
smime.p7s
Description: S/MIME Cryptographic Signature
