OK. I've downloaded and tested with NSS 3.3.1 and, no, behaviour still the
same.
A couple of other points I've noticed which may - for all I know - be
relevant.
Firstly, when the certificates are installed from within the browser, the
name of the certificates on the Signers tab is different to the name when the
certs are installed programmatically. Installed programmatically they're
named
- MyClient Root CA
- MyClient HMSCert CA
Installed from within the browser they're named
- MyClient Root CA - MyClient Limited
- MyClient HMSCert CA - MyClient Limited
If I install certificates from within the browser and uncheck the acceptances
on the Signers entries, attempting to verify the Yours certificate
"privateKey" fails with the message:
Verification of the selected certificate failed for the following reasons:
MyClient Root CA - MyClient Limited[Certificate Authority]
Certificate not trusted
Note that the name is exact.
If I install certificates programmatically and attempt to verify the Yours
entry "privateKey", I get a different result:
Verification of the selected certificate failed for the following reasons:
privateKey
Unable to find Certificate Authority
However, if I verify the same programmatically-installed certificate from the
command line:
certutil -V -n "privateKey" -d "C:\Program
Files\Netscape\Users\leigh_harrison" -u C
certutil: certificate is valid
Hmmm.
I'm about to repeat this with NS6, but I suspect the results will be much the
same as NS4. Puzzling, huh?
::Leigh
[EMAIL PROTECTED]
Leigh Harrison wrote:
> Melson, thank you for responding, on your day off and all!
>
> Nelson B wrote:
> > Leigh,
> > Please review my summary below, and tell me if I've made any mistakes.
> > As I understand it, the very same certs and private keys work in all 3
> > versions of the browser (4.8, 6.x, and 7.x) when the certs are imported
> > into the DBs by the browser itself. That is, when the certs are
> > imported by the browser itself, the browser is able to do SSL client
> > authentication with the test server.
>
> Correct.
>
> > When the certs are loaded via NSS 3.8's pk12util, they work in NS7.
> > NS7 works either way, whether the certs are imported by the browser or
> > by pk12util.
>
> Correct.
>
> > When the certs are loaded via NSS 3.6's pk12util, they do NOT work
> > in either NS 4.8 or NS 6.x.
>
> Correct.
>
> > If the above summary is correct, then I think we can conclude that
> > there is nothing wrong with the certs themselves, but rather something
> > about importing certs with NSS 3.6 creates a DB that is incompatible
> > with NS 4.8 and 6.x, even though the name is the right name for those
> > versions of the browser.
>
> This seems a reasonable assumption.
>
> > ... snip ...
> > So, let me suggest that you try using NSS 3.3, and see if that makes a
> > difference. The NSS 3.3 sources are still available. There might
> > even be binaries available on mozilla.org's ftp site.
>
> I'll try this. Thank you again.
>
> ::Leigh (on a day off)
> [EMAIL PROTECTED]
