Julien Pierre wrote:
4) pk12util -d petar -i "petar/Demo User Revoked (DEMO-SICA).pfx"
This installs the revoked cert .
6) certutil -d petar -n
1118bd833019ce94b626d680206a5cdb_61c37a0b-e01f-465e-ba3b-327aa038b07d -V
-u S
This checks your revoked cert. The output is :
certutil: certificate is invalid: Peer's Certificate has been revoked.
This proves that NSS is doing what it should (except the nicknames
generated for your certs are really ugly - I don't know why that is).
That big ugly hexademical number is a "GUID". a 256 bit number, part of
which is random, expressed in hexadecimal with some punctuation. It was
part of the .pfx file you imported. pfx files are Microsoft's version of
PKCS12 files.
When you import a cert into windows's cert store (e.g. from an issuing CA)
windows gives the cert a GUID. You may also then use Windows' cert manager
to give the cert a "friendly name".
When you export the cert from Windows' key store to a PKCS12/pfx file, if
you have not previously given the cert a friendly name, Windows will use
the cert's GUID as its friendly name in the PFX file. Then when the pfx
file is imported into Mozilla's cert store, you get that ugly GUID for the
cert's nickname.
The moral of this story is that users of certs in Windows' cert store should
always give their certs "friendly names" before exporting them to PFX files.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
