Loren wrote: > I've generated a test object signing certificate using OpenSSL, > when I install this cert/key into Mozilla (1.2a), and use the > resulting cert7.db and key3.db for script signing with signtool > (v1.3), it fails to find my cert in the db, but if I use Communicator > 4.79's db, it worked fine. > > It seems that there are some incompatibilities between these 2 dbs, > what concerns me is if I can just keep using Communicator's db? since > I have to use Openssl as my CA, is there any workaround for using > Openssl gen'd certs with Mozilla's dbs?
Many people who use OpenSSL as a CA create certs or cert chains that violate the rules for X.509 certs. Examples of very common mistakes include: 1. Reusing serial numbers. No valid CA will ever issue two certs with the same issuer name and serial number. NSS relies on this fact. If you try to add a cert to your cert DB that has the same issuer name and serial number as another cert already in the DB, the new cert will not be added. 2. Using the same subject DN for the CA cert and for one or more server certs or email certs issued by that CA. A server cert that has the same subject name as the root CA cert that issued it will have the same name listed as both Subject and Issuer, making it appear to be self-issued. I'd guess that your mozilla DB already had a cert in it with the same subject name or the same issuer and serial number as the cert you tried to add to it, but the Communicator DBs did not already have such a cert in them. In that case, the issue is not a version-based incompatiblity but rather a set of certs already in a particular DB that preclude the addition of (or finding of) your new cert in the DB. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
