A few questions about importing and using certs in Mozilla:
1. Am I correct in thinking that Mozilla imports certs in PKCS#12 format, and the default filename extn. is .p12 ?
PKCS12 files are used to import a private key, and the "user certificate" with the corresponding public key, and the certificates that make up the "certificate chain" for that user certificate. PKCS12 files are also known as .pfx files.
If you just want to import a cert (not a private key), there are several ways to do that.
2. When starting a TLS session, Mozilla checks the name on the cert against the domain of the site. Which component(s) of the distinguished name are used to perform this check?
There are two places in a certificate where the server's domain name may be found: 1. In the optional list of "Subject Alternative Names". This is the preferred place according to RFC 3280. 2. In the "Common Name" (CN) component of the Subject Distinguished Name. This is where it is most commonly found. One certificate may serve multiple servers by having multiple Subject Alternative Names.
3. More generally, is there a succinct and up-to-date list of distinguished name components in common use for internet-related certs? I'm familiar with the basics (CN, O, OU etc.) but these don't map very well to internet usage, and I gather that there are other components which have been adopted to get round this. (I've come across "E=", for example, but I'm not sure what it means.)
RFC 3280 is the IETF standard for certificates. But you asked about common use. Legacy uses are still more common than the standards. For certs used with email, email addresses may appear in the optional list of "Subject Alternative Names" (which is preferred, according to RFC 3280), or in one of several attributes of the Subject Distinguished Name.
4. Even more generally, is there a good FAQ around for these kinds of question, and / or this NG?
Alas, no. Here's your chance for fame and glory! Write one!
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
