On Jul 2, 7:28 pm, Nelson B Bolyard <nel...@bolyard.me> wrote: Hi all,
I'll answer Mr. Bolyards questions briefly because I think we found the culprid. See at the bottom. > > I have a safenet iKey 1032 token where I imported the p12 certificate. > > In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet > > K1PK112.DLL PKCS#11 module. In the firefox cryptography module manager I > > now see the token and can (after entering the pin) see the certificate. > > So firefox _can_ read the certificate off of the token. > > While in this state, go into Firefox's certificate manager, and look through > the tabs to find the cert. Tell us in which tab(s) the cert > appears. In particular, does it appear in the "Your Certificates" tab? Yes it does. > Also, in that tab, note the value in the "Security Device" column in the > row for your certificate. There it lists the ikey device > Then, Select your certificate and click the "View" button. A Certificate > Viewer Dialog will appear. In that Dialog, select the "Details" tab. > In that tab are 3 boxes or "panes", the top one of which is labeled > "Certificate Hierarchy". That box will contain some number of lines. > Please copy the contents of that box (you may have to retype it by hand). > I will explain below what to do with this information. There is only one line, that of the user certificate. > > But when I go to the juniper firewall website I get the error message > > that the certificate can't be found. > > Where do you see this message? Is it in a Juniper log file? Or Firefox? > If it is a Juniper log file, can you tell from the message whether it is > saying: > a) That it received no certificate from the browser, or This. > b) That it cannot validate the certificate chain received, or > b) That it does not recognize the validated cert as being authorized? > > > When I (for testing) take out the token and import the p12 certificate > > directly into the firefox certificate store I can authenticate against > > the juniper firewall website with user and pass and the certificate. > > So the problem seems to be that in the cyrpto module manager firefox can > > read a certificate off of a token and can't read it off when queried by a > > website. > > While in this state, please repeat the steps I gave above, noting the tab of > the certificate manager in which your certificate appears, the security > device associated with your certificate, and the contents of the Certificate > Hierarchy pane in the Certificate Viewer. The difference to the above is that in the pane view it now shows the CA and below that the user certificate. > Then compare these two sets of results. I suspect they will differ. > It may be that, in one case the certificate appears in "Your Certificates" > tab, and in the other case, it does not appear in that tab, but appears > in some other tab. Or, it may be that in one case the Certificate Hierarchy > contains multiple lines (corresponding to multiple certificates) and in the > other case, it contains fewer lines (perhaps only one). > Or perhaps you will find both of these differences. Or perhaps neither. > [...] > 2) It may be that your certificate has a hierarchy with more than two > certificates in it, and all of those certificates are stored in Firefox's > software token when you import the PKCS#12 file there, but not all those > certificates are being stored on the token when you import the PKCS#12 file > there. In order to be able to successfully do client cert authentication, > Firefox needs access to the entire correct certificate hierarchy. It cannot > succeed if certs are missing from the hierarchy. If you find that > the two hierarchies seen in the steps above are different, that is the > likely cause. In that case, you really should try to import the missing > certs into the token. If you cannot do that, that is a bug in the token > or PKCS#11 module, however, there is a workaround. You can import the > missing CA certs into Firefox's software token instead. What we've found out now is this: there is no CA certificate on the token. And it seems that firefox needs the CA and the user certificate from the same place: Test: we unplug the token, clean up so that no user cert and CA cert is there. Import the p12 file. Then we have a CA cert in the authorities tab, a user cert in the "your certificates" tab with software store as device and in the details pane the CA with the user cert below it. Then the authentication works. If I clean up again (no user cert and CA cert there), plug in the token I only get the user cert, no CA cert. If I import a CA cert only into the authorities tab and plug in the token I (naturally) have both, the CA and the user cert BUT in the details pane there is still only the user cert there, it's NOT below the corresponding CA cert. That's the problem. That's why I reason that the CA and user cert have to come from the same source, either the software storage or the token. But mixing the stores doesn't seem possible. My colleague is now trying to import the CA onto the token. As seen above the p12 file includes both the CA cert and the user cert. But if one imports it with the safenet ikey token utility the CA cert file seems to get lost. This seems now to be a problem with the token import utility. Do you agree? Or should firefox accept a CA cert and user cert from different stores? Thanks a lot again for your help regards Udo Puetz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
