Leigh Harrison wrote:I happened across modutil -create during early investigation of the toolset and stuck with it. Easily changed if it's important, and I'm only recreating the databases during development anyway.
> I'm endeavouring to automate the installation of certificates into
> NS4.75+, NS6+ and NS7+ under various Windows flavours using the nss-3.6
> binaries build for NS4 and NS6, and the nss-3.8 binaries build for NS7.
> These appear to be appropriate builds for the NS databases (NS4=cert7,
> NS6=cert7 and NS7=cert8). [snip]
> I delete the three .db files, use modutil to create new files and then
> change the password.why modutil? Typically one would create new files and set the password
with the command
certutil -N -d ...
> Then when I fire up Netscape and install the certificates from within theThe client has issued us with two .pfx and two .cer files - one cipher and one signature in each format.
> browser,Please explain what exactly you mean by "install the certificates from
within the browser". Are you importing pfx files from IE? or are you
getting certs directly from a cert server? or what?
> here's what I get (trimming out all but the relevant entries):Yes.
> C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -L -d
> "C:\Program Files\Netscape\Users\leigh_harrison"
> > ... snip ...
> MyClient Root CA - MyClient Limited c,c,c
> privateKey u,pu,u
> MyClient HMSCert CA - MyClient Limited c,c,c
> privateKey u,pu,uAre you sure those are lower case "c", and not upper case "C"?
> C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -K -dCorrect. 4.8, in fact.
> "C:\Program Files\Netscape\Users\leigh_harrison" -k "all" -f
> "dbpassword.txt"
> <0> privateKey
> <1> privateKeyBased on that output, I'd say you were using N4.x for that example, yes?
> This works fine and I can connect to the issuer's site without problems.They are lower case, yes.
> If I then delete the three .db files again, recreate them, change the
> password and perform the following sequence programmatically, I get this:
> ... snip ...
> MyClient Root CA c,c,
> privateKey u,u,u
> MyClient HMSCert CA c,c,
> privateKey u,u,usame question about case of "c".
What does the browser's certificate manager show about these user certs?Sticking with NS4 for consistency, in the list on the Certificates / Yours tab we have one entry "privateKey". Viewing this asks us to choose one of two certificates. The first contains
Do they appear in the list of "your" certs? Do they appear valid for SSL?
This Certificate belongs
to:
User Name
[EMAIL PROTECTED]
Black Coffee
Software Ltd
Wellington, -,
NZ
This Certificate was
issued by:
MyClient HMSCert
CA
[EMAIL PROTECTED]
Certification
Services
MyClient Limited
NZ
Serial Number: 63:C8:D5:12:AC:41:B2:DA
This Certificate is
valid from Fri Aug 15, 2003 to Thu Aug 19, 2004
Certificate Fingerprint:
05:85:F5:EB:03:C8:74:29:44:30:0C:72:47:E2:77:F9
The first two sections for the second "privateKey" are identical, the third differs:
Serial Number: 2B:7A:56:62:AD:B7:E9:1A
This Certificate is
valid from Fri Aug 15, 2003 to Thu Aug 19, 2004
Certificate Fingerprint:
A3:BE:5D:79:E1:C7:7A:50:05:5A:9E:3D:65:0A:BD:0A
In the Certificates / Signers tab we have two new entries,
MyClient HMSCert CA
MyClient Root CA
Verifying both certificates fails:
Verification of the selected certificate failed for the following reasons:
[CERTIFICATE NAME]
Unable to find Certificate Authority
Editing MyClient HMSCert CA tells me
This Certificate belongs
to:
MyClient HMSCert
CA
[EMAIL PROTECTED]
Certification
Services
MyClient Limited
NZ
This Certificate was
issued by:
MyClient Root
CA
[EMAIL PROTECTED]
Certification
Services
MyClient Limited
Auckland, NZ
Serial Number: 08:00:28:88:82:AA:00:08
This Certificate is
valid from Wed Aug 06, 2003 to Sat Dec 13, 2014
Certificate Fingerprint:
0B:A7:6E:65:07:3F:A3:44:A4:CF:62:77:58:E8:CA:FF
This Certificate belongs
to a Certifying Authority
[ ] Accept
this Certificate Authority for Certifying network sites
[ ] Accept
this Certificate Authority for Certifying e-mail users
[ ] Accept
this Certificate Authority for Certifying software developers
[ ] Warn before sending data to sites certified by this authority
None of the checkboxes is checked, for this or for the second certificate, which has the following differences.
This Certificate belongs
to:
MyClient Root
CA
[EMAIL PROTECTED]
Certification
Services
MyClient Limited
Auckland, NZ
This Certificate was
issued by:
MyClient Root
CA
[EMAIL PROTECTED]
Certification
Services
MyClient Limited
Auckland, NZ
Serial Number: 00
This Certificate is
valid from Tue Jan 21, 2003 to Mon Dec 07, 2026
Certificate Fingerprint:
51:2E:90:F5:C5:0F:32:03:FD:54:3B:78:2C:F2:4B:05
I would have expected at least the first checkbox to be checked for both certificates.
> C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -K -dYes. I use the same batch file each time and the output tells me if deletion fails.
> "C:\Program Files\Netscape\Users\leigh_harrison" -k "all" -f
> "dbpassword.txt"
> <0> privateKey
> <1> privateKeyThat's surprises me. That looks like the output for a key3.db file
created by N4.x, not by the command line utilities. This makes me wonder
certain things, such as:
a) are you certain that you deleted all 3 files, including key3.db before
reimporting the certs?
b) did you possibly leave the browser running while you did these steps?I've been caught by that a few times! In this instance I'm confident it was closed, but I'll re-run these tests to be sure once I've posted this message (I'm using the NS4 mail and news client and - silly girl - I've already killed this reply once).
> If I compare the detailed entries between the browser andCool.
> programmatically -entered certificates at this point, almost everything
> matches. The keys are identical. The only significant differences (I
> thought) are the ones obvious above: Object signing flags: for the
> MyClient entries lacks "Valid CA", and Email flags: for privateKey lacks
> "Valid Peer".I don't believe any of these things are relevant to your test. Your test
was for SSL client authentication, so only the flags before the first
comma are relevant. There's no point in trying to change those things,
IMO, so I'll snip your discussion of the attempt to change those flags.
> But! I can't get to that second privateKey entry because there are twoAlso good to know. Thanks.
> with the same name.That change is unnecessary.
> Nor can I find a way to massage the names of theChecking this with NS6 which offers more detail, it seems none of the certificates is chained to anything else, and I'm surmising that this is the problem. But! Exactly the same process works fine in NS7, admittedly using a later build of the toolset.
> "MyClient" certificates.When you import a cert with pk12util, the cert's "nickname" (a.k.a.
"friendly name") is taken directly from the pkcs12 (pfx) file, and
cannot be changed. In general, a cert's nickname cannot be changed
after it is imported, regardless of how it was imported.> When I try to connect to the issuer's website using these
> programmatically-entered certificates, I first get a popup from the
> browser saying
> No User Certificate
> The site 'secure.MyClient.net' has requested client authentication, but
> you do not have a Personal Certificate to authenticate yourself. The
> site may choose not to give you access without one.Assuming that you were testing with the same server both times, and its
configuration did not change, the problem must be that the browser does
not find one of the necessary components, including:
1) the user's cert
2) the complete chain of CA certs for the user's cert,
3) the private key for the user's cert
The browser's display of certs is the most reliable way to see what it sees.Yes, this is right, as detailed above.
You should see your two user certs in the list of "your" certs, and the
CA certs in the list of "signer" certs (assuming you're using N4.x).
Also, I wonder if you might have imported different CA certs the secondI have just the four files as noted above.
time. Check the full subject and issuer name of each cert. Check the
issuer name against the subject name of the issuing CA cert. Make sure
you have the right CA certs in the chain.
Thanks for your comments. I've a few things to follow up and test further now.
Regards ...
