Larry J. Riffle wrote:
>
> Kai Engert wrote:
>
>> Larry J. Riffle wrote:
>>
>>>
>>>
>>> Kai Engert wrote:
>>> > Usually, when you import a certificate into Mozilla, each certificate
>>> > will get assigned a unique "nickname". The cert stored in the
>>> internal
>>> > database will remember the association from actual cert to nickname.
>>> >
>>> > The configuration in mail remembers the cert nickname.
>>>
>>> I have tried setting the "-name" flag on openssl pkcs12 before importing
>>> and the "-setalias" flag on openssl x509 when signing. Even when they
>>> are unique my selections keep getting changed.
>>>
>>> ...or perhaps nickname means something else I'm not aware of?
>>>
>>> >
>>> > If you are testing and doing trial and error, I guess you are playing
>>> > with your own CA and generating your own certs.
>>>
>>> An intermediate CA from CREN actually.
>>>
>>> >
>>> > Make sure you don't confuse Mozilla by re-using the same certificate
>>> > serial numbers. Mozilla's crypto library NSS uses the pair
>>> > {issuer,serial number} to uniquely identify a cert. If you reuse
>>> serial
>>> > numbers, you pretty much confuse Mozilla.
>>>
>>> No, I understand that. Serial numbers are all unique.
>>>
>>> >
>>> > If you ensure that, Mozilla should be clever enough to remember which
>>> > exact certificate you have selected for email configuration and to
>>> > automatically switch to a different one.
>>>
>>> Its starting to seem to me like when Mozilla has multiple certs with
>>> key usage keyEncipherment and the same email address, both in the
>>> subject and subjectAltname, the newest one replaces my selected
>>> encryption cert and becomes the only one in the selection list until
>>> I delete it. Likewise, if key usage is digitalSigning it becomes the
>>> email signing cert and the only choice.
>>
>>
>>
>> Could you confirm the following?
>>
>> Up to now I believe you only spoke about the contents of the list when
>> configuring the cert in email preferences. You say only one cert for
>> your nickname is shown, and you suspect only the latest one is shown.
>>
>> Only the latest one would be shown, if your older other certs have
>> already become invalid,
>
>
> All are valid though some have some pretty strange extensions. As I
> said, I'm new to this.
>
>> - possibly because you have loaded a CRL with the older certs revoked
>
>
> PKI-Lite, No CRL's.
>
>> - you are using OCSP and the older certs have already been revoked.
>
>
> No OCSP.
>
>>
>> If that is not true, then please have a look at certificate manager in
>> edit/prefs/privacy/certs/manage.
>>
>> You say you expect multiple certs in your database. If that is indeed
>> the case, then cert manager should list all of them in the "Your
>> Certificates" tab. Can you confirm?
>
>
> Yes, they are all listed. The trust chains are all complete, none have
> expired and all seem valid. I can send examples if you like but I think
> we've hit on the problem below.
>
>>
>> Assuming you indeed have multiple certs, let's confirm whether Mozilla
>> has assigned different nicknames to each of them.
>>
>> You can view the nickname by using the "view" button. The title line
>> of the dialog that opens shows the nickname.
>> Is the nickname unique for each of your certs?
>
>
> No, they all are "Imported Certificate". How do I control that?
>
> I can't confirm this until I get back to work Tuesday but I think
> Mozilla 1.1 under Linux RH 7.3 showed the value from "openssl pkcs12
> -name" there. I'm on Win2k right now, also Mozilla 1.1, and nothing I do
> seems to change "Imported Certificate". Obviously that's the source of
> the ambiguity. Should that correspond to the value of "-name" on
> "openssl pkcs12"?
Now that I've had a chance to experiment on both platforms allow me to
revise my hypothesis.
First of all it is consistent between Linux and Win2k. Whatever the
value on the "openssl pkcs12 -name" flag it becomes the nickname of the
all certs associated with the private key in the first pkcs12 file
imported. Subsequent imports with the same private key inherit that
nickname regardless of what was on the "-name" flag when the pkcs12 file
is created.
The email signature and encryption selection lists each display only the
latest cert, valid for that purpose, with the same nickname.
>
> I really appreciate your help. I have a long learning curve ahead of me
> and this has me stumped.
>
> - Larry
>
>>
>> Kai
>>
>>
>>
--
Larry
