Bruno Boutteau wrote: > Nelson B wrote: > >> Bruno Boutteau wrote: >> >>> How can we import a PKCS #7 certificate or .cer in Firefox? It is easy >>> with IE just click on it and accept the next OKs up to FINISH!!! >>> Thanks in advance (Certificate was delivered on crypto smart card)
> Thanks for first answer Nelson. > In certificate manager U can import your PKCS#12 certificate. > In IE Import is able to import X509(.cer,.crt) certificate. Bruno, here's some background information you should know. When you use a certificate that identifies someone else (not you), you only need the certificate. When you use a certificate that identifies you, yourself, you need a certificate AND (most importantly) a PRIVATE KEY. The Private Key is the thing that you (your browser, your email program) uses to prove (to someone else) that you really are the rightful holder of your own certificate. You cannot effectively use your own personal certificate (that identifies you) without also having the private key for it. If you're trying to move your own personal certificate into your browser, you also need to move your private key with it, because your browser cannot do anything effective with your cert unless it also has your private key. You never want to send your private key to anyone else. It's private for you alone. A .der or .cer file contains a single certificate and nothing else. It cannot also contains a private key. It's useful for holding someone else's certificate. It's also useful for sending your certificate (without your private key) to someone else. It's useful for importing someone else's certificate into your browser. A PKCS#7 file is quite different from a .der or .cer file. It can contain any number of certificates, and a few other things, but like a .cer or .der file, it cannot contain any private keys. It is useful for transporting or importing more that one certificate at a time, but (again) you cannot import your private key from it. So, if you're looking to transport your own cert and private key, a PKCS#7 file is not what you want. A PKCS#12 file contains one or more certificates AND (most importantly) a private key. It's the way to transport your own personal cert and your own private key. It also can transport certs related to your cert, such as the cert belonging to the issuer (or "authority") who issued your cert. When you go into the certificate manager dialog, there are various tabs shown there for certs belonging to different types of folks. There's a tab for your own personal certs. There's a tag for other people's email certs. There's a tab for SSL server certs, etc. Each tab has an import button that attempts to import a cert for that type of entity. When you attempt to import YOUR PERSONAL cert, certificate manager tries to open a PKCS#12 file (also called a "pfx" file) to get your cert AND your private key. In that tag, cert manager will only be satisfied with a PKCS#12 file. When you attempt to import someone else's cert, certificate manager does not attempt to open a PKCS#12 file. It attempts to open a file of any of the other types (IIRC), including PKCS7, .cer, .der, etc. Now here are some questions for you to answer. Please answer all these questions: 1. If you have recceived a smart card with your personal certificate and private key on it, why do you want or need to import that cert into your browser? "importing" a cert is done when your browser has no other way to access your cert. Your browser should quite happily access your cert from your smart card, right where it is, without needing to "import" it. 2. If this is your own personal cert, why are you trying to import it without also importing the private key. > I just want to declare one certificate of my cryto smart card to Firefox Why? When you have a certificate and private key in a smart card, you don't need to declare them or import them at all. FireFox is able to find your certs on your smart card (if it sees the smart card at all, which depends on having the proper software installed) and doesn't need any separate "importing" to use certs on a smart card. By the way, this is also true for IE. If your smart card software is working properly, and all the necessary software is installed, you don't need to import any certificate files for IE to work, either. > (Thunderbird too) but Firefox offers only PKCS#12 format for import and > I have the certificate declaration in .cer and with Active Card manager > I can make extraction of public information in PKCS#7 or .cer formats, > Those formats than Firefox cant read! if I am right..... Extracting your certificate (without your private key) into a .der, .cer or PKCS7 file (none of which contain your private key) is (or may be) a useful way to send a copy of your certificate, alone, to someone else. It is not a useful way for you to get your cert and private key into your browser and email programs , because they also need your private key. I suspect your situation is this: - You have a smart card with your cert and private key on it. - Your mozilla products (FF, TB) do not see this smart card, and therefore do not see its cert and private key. - You're trying to solve this problem by "importing" the cert (alone, and not the private key) into the mozilla products, which won't fix anything even if you succeed, because it won't copy the private key. The issue is: why doesn't your browser see your smart card. I suspect the answer is some combination of these things: a) you do not have the necessary PKCS#11 software module for your smart card installed on your system, and/or b) your mozilla products have not been configured to use that PKCS#11 software module. Both of those things should have been done when your smart card software was installed. It is possible that your smart card software vendor has not installed the PKCS#11 software needed by mozilla products. It is also possible that the software was installed, but that the installer did not then do the next step of configuring your mozilla products to use that PKCS#11 modulel. Let me suggest that you examine the documentation (if any) that came with your smart card to see if it names the PKCS#11 software module file. It would be a file named <something>.dll, perhaps AC<something>11.dll. If so, and if you can find that file installed on your PC somewhere, then there's hope that you yourself can configure your mozilla products to use that file. You may need to contact your smart card vendor for help obtaining, installing and configuring the PKCS#11 software module for their card or card reader. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
