Vivek,
Vivek Chadha wrote:
Anotnio - assuming I understood your question correctlly -
"When I attempt to import the CA cert to the smartcard, why does'nt the
NSS create a 'new' cert in the token store (on the smartcard)? Instead,
you just see a copy over of the CA cert to the token store"
I think the reason is that when you attempt to move a CA cert, you do
not have its corresponding private key and the NSS will not let you
'own' the CA cert. The smartcard is a secure storage for only the certs
that the individual entity owns. The 'public' CA cert is exactly
that...'public' so there is no reason to move it elsewhere.
How are you importing the cert to your smartcard ? From a PKCS#12 file
containing the key and the cert chain ?
Smartcards in general have limited storage. Many can only store only a
couple of certs. But there is nothing in the PKCS#11 that technically
prevents certs from being added to the card without a private key. So,
CA certs can be imported. The smartcard module itself can choose to
report a failure if it's full. Many modules actually don't (sigh), and
silently report success, even though the cert import failed . I have
seen such problems with Muscle drivers for example.
That said, NSS has not always tried to import the full cert chain to the
card. I worked on this years ago and can't remember the whole story now.
You should search bugzilla for old NSS bugs first.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
