Nicolas wrote:
> You are absolutely right. > I did what you said and it works.
Groovy.
> So, to summarize what i understood : > Mozilla's client certificate selection pop-up displays the matching > certificates : the information appearing in the list being the > friendly name.
not exactly. Mozilla displays a cert's "nickname", which may or may not be the same as the "friendly name".
Windows has a friendly-name for each cert. Two different certs with the same subject name can have different friendly-names in windows, and in PKCS12 files (PKCS12 file format was derived from Microsoft's PFX file format).
Mozilla doesn't use "friendly names" internally. It uses "nicknames". The difference is that a nickname is a short form of a subject name. All certs with the same subject name share a common nickname.
When mozilla exports a cert to a PKCS12 file, it uses mozilla's nickname for that cert to make the "friendly name" in the PKCS12 file.
When mozilla imports a cert with the same subject name as another cert already imported, it uses the nickname that already applies to that other previously-imported cert, so that both certs have the same nickname. This is intentional.
When mozilla imports a cert with a subject name that doesn't match the subject name of any previously-imported (or generated) cert, mozilla will check to see that the "friendly name" in the PKCS12 file is present and doesn't duplicate the nickname of any other cert already in the cert DB. If so, mozilla will import the cert using the PKCS12 friendly name as the nickname.
> What i experienced with client certificate generation is that IE does > not put a friendly name, equals to null when i look in the cert > manager. So when you export it, instead of putting null, it puts an > odd number. Reimporting it makes mozilla display weird stuff.
Right.
> For Mozilla, it seems to be different : when creating a certificate, > Mozilla puts by default the cn of the certificate as the friendly > name. Thus, when i try to export a mozilla generated certificate (with > the keygen tag), what i get in the windows cert manager as a friendly > name is the cn of the certificate. Do you confirm that it is the > default behavior of Mozilla?
IIRC, for generating certs, mozilla constructs the friendly name from several components of the full cert subject name. I don't recall the specifics. Sorry.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
