Richard Piper wrote: > > I am having trouble signing email with certificates stored on the iKey > 2000 (OS=windows XP). The certificate/and device are visible in the > certificate and device manager respectively. > > However, when nominating a certificate with which to sign email (email > prefs), I get the error message "the certificate manager can not locate > a valid certifate". > > The certificates contain a valid email address. And the CA is recognized > and authorized for email. > > Whist I get this problem with the iKey token, the certificates work as > expected if placed in the "software device". > > The problem occurs in Mozilla 1.1 and 1.2.
Several thoughts occur, may or may not help. 1. To sign an email, you need both a certificate and the corresponding private key in the same PKCS#11 "token", e.g. in your ikey or in your "software device". If you have the cert, but not the private key, in your iKey then you won't be able to sign with the ikey. 2. mozilla presently requires you to have a cert (or pair of certs) that is valid for BOTH signing and encryption. If you have a cert that is good for signing but not for encryption, and do not have a companion encryption cert, then mozilla will not let you use the signing cert by itself. This is a known issue with mozilla. There is a bug filed about it. 3. There is presently a limitation in mozilla (actually in NSS, the crypto library in mozilla) about having your personal cert (and private key) in more than one PKCS#11 token (device) at the same time. If you want to sign with your iKey, then you should not also have the cert in the "software device" also. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
