Tom, tom glaab wrote:
Since your certs have distinct subjects (it doesn't matter how little the difference is), they will have different nicknames.All my certs are current and issued by the same CA. The subject is different, though not by much (basically a firstname.lastname.serial). The reason I have multiple certs from the same CA is political, and the older, primary cert has more functionality but I have to keep the new one for a server that will be stood up "soon."So we're back to the problem that I have multiple valid certs, but I prefer to use something other than Mozilla's default selection.
You can choose which cert to use. Select "ask every time" in the manner indicated in the previous message. You will then be prompted with a dialog which will contain the list of valid certs, and you will be able to pick the one you want.
It is true that there is no way to override the automatic selection with your own cert. However, the automatic selection is a dynamic process, as I mentioned previously. It is dependent upon the acceptable CA certs of particular servers. If you have multiple certs from different issuers (as for example, I do), then a default cert is meaningless. To take a concrete example :
I have a cert from Thawte and a corporate cert.
Which one do I set as default ?
Corporate sites will require the corporate cert, and other certs from Thawte may require the Thawte cert.
The corporate cert is never acceptable to the Thawte servers, and vice versa.
A default only makes sense when there is ambiguity, ie. you have two certs from the same issuer. There would have to be one default cert per issuer, rather than a global setting for the default cert. Or perhaps you would set a "priority list" of acceptable certs, that would be combined with the acceptable CAs when you connect to an SSL server. In either case, this would make a very complex and confusing UI.
In truth, most people do not have more than one valid cert per issuer with a different subject, much less more than one valid cert for more than one issuer. Therefore, in my opinion, the complexity of that UI would outweigh its benefits. The "ask every time" setting already allows you to do what you need, at the cost of an extra click at connection time as you get prompted.
Another suggestion : if you never use the other (non-default) certificate, you may as well delete it from your cert database, and Mozilla will then automatically make the right choice of certificate since there will be no ambiguity.
