Installing pfx files ... or not

[Leigh Harrison]

I'm endeavouring to automate the installation of certificates into NS4.75+, NS6+ and NS7+ under various Windows flavours using the nss-3.6 binaries build for NS4 and NS6, and the nss-3.8 binaries build for NS7. These appear to be appropriate builds for the NS databases (NS4=cert7, NS6=cert7 and NS7=cert8). I've found little documentation, some of it conflicting, but I've got to where I am now with gleanings from here and there, including some from this newsgroup. I'd appreciate help - a comment or two would be gratefully received.

I delete the three .db files, use modutil to create new files and then change the password. Then when I fire up Netscape and install the certificates from within the browser, here's what I get (trimming out all but the relevant entries):

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -L -d "C:\Program Files\Netscape\Users\leigh_harrison"
> ... snip ...
MyClient Root CA - MyClient Limited                          c,c,c
privateKey                                                   u,pu,u
MyClient HMSCert CA - MyClient Limited                       c,c,c
privateKey                                                   u,pu,u

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -K -d "C:\Program Files\Netscape\Users\leigh_harrison" -k "all" -f "dbpassword.txt"
<0> privateKey
<1> privateKey

This works fine and I can connect to the issuer's site without problems.

If I then delete the three .db files again, recreate them, change the password and perform the following sequence programmatically, I get this:

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>pk12util -i "c:\Projects\Certs\hms.user.blkcoff.cipher.pfx" -d "C:\Program Files\Netscape\Users\l
eigh_harrison" -W "userpassword" -K "dbpassword" -h "NSS Certificate DB"

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>pk12util -i "c:\Projects\Certs\hms.user.blkcoff.signature.pfx" -d "C:\Program Files\Netscape\User
s\leigh_harrison" -W "userpassword" -K "dbpassword" -h "NSS Certificate DB"

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -L -d "C:\Program F
iles\Netscape\Users\leigh_harrison"
> ... snip ...
MyClient Root CA                                             c,c,
privateKey                                                   u,u,u
MyClient HMSCert CA                                          c,c,
privateKey                                                   u,u,u

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -K -d "C:\Program F
iles\Netscape\Users\leigh_harrison" -k "all" -f "dbpassword.txt"
<0> privateKey
<1> privateKey

If I compare the detailed entries between the browser and programmatically -entered certificates at this point, almost everything matches. The keys are identical. The only significant differences (I thought) are the ones obvious above: Object signing flags: for the MyClient entries lacks "Valid CA", and Email flags: for privateKey lacks "Valid Peer".

I can deal to most of these straightforwardly:

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -M -n "MyClient R
oot CA" -t "c,c,c," -d "C:\Program Files\Netscape\Users\leigh_harrison"

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -M -n "MyClient H
MSCert CA" -t "c,c,c," -d "C:\Program Files\Netscape\Users\leigh_harrison"

C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -M -n "privateKey"
-t "u,pu,u," -d "C:\Program Files\Netscape\Users\leigh_harrison"

I then have:

MyClient Root CA                                             c,c,c
privateKey                                                   u,u,u
MyClient HMSCert CA                                          c,c,c
privateKey                                                   u,pu,u

But! I can't get to that second privateKey entry because there are two with the same name. Nor can I find a way to massage the names of the "MyClient" certificates.

When I try to connect to the issuer's website using these programmatically-entered certificates, I first get a popup from the browser saying

No User Certificate

The site 'secure.MyClient.net' has requested client authentication, but you do not have a Personal Certificate to authenticate yourself. The site may choose not to give you access without one.

This is followed by what looks like a typical IIS error message:

The page requires a client certificate

  The page you are trying to view requires the use of a client certificate.

  Please try the following:

       Click the Refresh button to try again, if you have installed your
       client certificate.
       If you believe you should be able to view this directory or page,
       please contact the Web site administrator by using the e-mail
       address or phone number listed on the secure.MyClient.net
       home page.

  HTTP 403.7 - Forbidden: Client certificate required
  Internet Information Services

  Technical Information (for support personnel)

       Background:
       This error occurs when the resource you are attempting to
       access requires your browser to have a Secure Sockets Layer
       (SSL) client certificate that the server recognizes.

       More information:
       Microsoft Support

It's not obvious to me what I'm doing wrong. If it's obvious to you, please do feel free to have a good laugh without any guilt, but if you can spare a moment between guffaws, drop me a line to point me in the right direction.

Thanks,

Leigh Harrison
[EMAIL PROTECTED]