Vivek Chadha escribió:
Anotnio - assuming I understood your question correctlly -
"When I attempt to import the CA cert to the smartcard, why does'nt the
NSS create a 'new' cert in the token store (on the smartcard)? Instead,
you just see a copy over of the CA cert to the token store"
I think the reason is that when you attempt to move a CA cert, you do
not have its corresponding private key and the NSS will not let you
'own' the CA cert. The smartcard is a secure storage for only the certs
that the individual entity owns. The 'public' CA cert is exactly
that...'public' so there is no reason to move it elsewhere.
Vivek.
Hi Vivek. Well, I'll try to explain better the problem I'm having:
- I have my PKCS11 module installed on Mozilla
- Well, now I want to request a new personal certificate to a PKI (inner
to department of computer science of my university).
- Then, using Mozilla I browse into the PKI web pages, and I request a
new Personal certificate filling a form. This request imply a sequence
of orders generates by NSS to the pkcs11 module (i.e. the
C_GenerateKeyPair function of the pkcs11 and other more are invoked,
creating the corresponding token objects, which replaces to the old ones).
- Well, when the method C_GenerateKeyPAir of my pkcs11 is invoked,
besides to create the token objects it indicates to the smartcard that a
new private key must be generated,
- When the CA has issued the certificate I browse again into the PKI
web pages to recover and import it. Again that involves a sequence of
orders to the pkcs11 (i.e. the C_CreateObject() of the pkcs11 is invoked
to create a new X509 Certificate object. That implies that my pkcs11
besides to create the new object, it will indicate to the smartcard to
store the user certificate I'm importing).
- Now here is the problem, If I now repeat the process but trying to
import the CA cert from the PKI web pages, it doesn't generates any
order to my pkcs11, and the CA certificate is only imported to the
Mozilla database. That is, the effect to import the CA certificate isn't
the same to import the personal certificate (in that case many pkcs11
methods were invoked).
I hope that the problem is understood better now.
Thanks,
Antonio.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
