On 2009-07-03 04:33 PDT, Udo Puetz wrote: > What we've found out now is this: there is no CA certificate on the > token. And it seems that firefox needs the CA and the user certificate > from the same place:
I don't believe it is true that Firefox requires both to be in the same token. > If I import a CA cert only into the authorities tab and plug in the token > I (naturally) have both, the CA and the user cert BUT in the details pane > there is still only the user cert there, it's NOT below the > corresponding CA cert. That's the problem. Agreed that the problem is that Firefox does not find the CA cert, but I think more investigation is needed. I highly doubt that the matter is purely one of where the cert is loaded (though it may seem that way). I have some ideas for more tests below. > That's why I reason that the CA and user cert have to come from the same > source, either the software storage or the token. But mixing the stores > doesn't seem possible. Except that I do that all the time. > My colleague is now trying to import the CA onto the token. As seen above > the p12 file includes both the CA cert and the user cert. Actually, I haven't seen evidence of that, although you did claim that when you imported the PKCS#12 file into the software token, that the missing CA cert was then found present. > But if one imports it with the safenet ikey token utility the CA cert > file seems to get lost. Seems to. I have a hunch that the CA certificate may have some issues that cause it to not be recognized as a CA cert. If you have a certificate that does not appear on its face to be a CA certificate, when you store it in Firefox's soft token, it can be marked with a flag that says "treat this like a CA cert, even if it's not a CA cert". This flag is known as the "Valid CA" flag. One possible explanation for what you're seeing is that that the CA cert is being marked with this flag when it is imported into the softoken from the PKCS#12 file, but is not being marked with that flag when it is imported into the hardware token. Consequently, it is not seen in the Authorities tab when it is in the token. It may be in one of the other tabs. > This seems now to be a problem with the token import utility. Do you > agree? Not necessarily, but perhaps. I can think of at least two explanations for the behavior you're seeing that do not imply that there is a problem with the token import utility. I can think of numerous tests that you could perform to better diagnose the problems, some of which use NSS utility programs that are not distributed with Firefox. Here are some tests you can try. 1a. Remove the token with the EE (SSL client authentication) cert. 1b. Import the PKCS#12 file into the software token again. 1c. Verify that this works (can client auth). 1d. Exit Firefox. Make sure that it's not running any more. 1e. Make a copy of cert8.db and key3.db in another folder. Let's call that folder "Pair1". 1f. Restart Firefox. 1g. Using Firefox's certificate manager, delete the EE certificate from "Your certificates" tab, but leave the CA certificate in place. 1e. Shut down and Restart Firefox, again. 1f. Insert the Token and authenticate to it (enter the token PIN). 1g. Now view the EE cert in the cert manager and see if Firefox finds the EE cert beneath the CA cert in the cert hierarchy pane. 1h. See if you can do client authentication there. Now, most of the rest of the diagnostics steps that occur to me involve using NSS command line tools that you probably don't have and with which you probably aren't familiar. So, rather than telling you how to get them, how to install them and how to use them, I'm going to suggest that you email me one file, namely the cert8.db file that you saved in "Pair1". I want only the cert8.db file, which contains only the public certificates, and not the key3.db file that contains your private keys, or any other DB files. I don't need any private keys to do this analysis I want to do. You can email it to the address from which this email comes. Regards, /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto