Darrel wrote: > I've loaded Moz 1.1 and it has imported my Netscape 4.79 profile. I > have 5 private certs from Thawte Personal Freemail used to sign and > encrypt email. Each is good for a 1 year and 4 of these have now > expired. I have an email encrypted with one of the now-expired certs. > In NS 4.7, I can view the email; under Moz 1.1, I see a broken key icon > and the email doesn't appear. Are my certs OK? Why can't I decrypt my > old email? Does Moz refuse to use an expired cert?
I have found a similar problem with the FreeMail certs and constructing the chain. What I found was that Thawte had a CA cert which appeared with the name 'Personal Freemail RSA 2000.8.30' and was valid from 8/29/00 through 8/29/2002 (serial # 0C, I think). At some point thay generated a new signing cert with exactly the same DN but the date range is 8/29/00 through 8/29/2004 (serial # 66:45:72:B7:CC:74:F5:CF:63:76:45:84:D0:2E:91:01). In my cert storage (Authorities), both certs appeared, with the older (lower serial number) entry being listed first. When trying to verify newer certs (issued in Sept. this year) the PSM always said the chain were not good. When I deleted the older (lower serial) cert, the problem went away. But I also invalidated all the certs that were signed by the older CA cert. From the observed performance, it appears that the PSM assumes that a DN is unique (only one per database)and simply uses the first one found. FreeMail certs also do not contain the extensions for Authority Key Identifier and such to aid in identifying the signer. I don't know if they would be used <<shrug>>; but if they did, you couldn't really tell since they would probably be displayed only as OIDs and hex dumps. Victor Probo > > I've looked in the Certificate Manager and see that the 4 expired certs > are not verified while the one active cert is verified for the purpose > of Sign/Encrypt. > > I tried deleting one of the now-expired certs and redownloading it from > Thawte. When fetching the cert I receive the error "Unable to build > certificate chain!". Not sure if this is a Moz issue or a Thawte issue. > I've never seen this before using NS 4.7. > > One more thing. From NS, I've learned that the local cert store is > protected by a password. When looking into the store I must supply my > password. I find that I don't have to enter a password when looking at > the Moz Cert Manager. Did I miss something or is the Moz cert store > unprotected. Unprotected is very undesirable. > > Thanks, > Darrel >
