On 20. 10. 2010 21:01, Nelson B Bolyard wrote:
On 2010-10-20 09:54 PDT, Matej Kurpel wrote:
Hello,
I have set up my own CA and issued one certificate signed by this CA.
However, I cannot use this certificate to send signed e-mail from
Thunderbird. It says "Could not verify this certificate for unknown
reasons".
PSM's infamous "for an unknown reason" error message,
the bane of my existence for about a decade now. See
https://bugzilla.mozilla.org/show_bug.cgi?id=desired
When any NSS function fails, NSS always provides a reason code. But years
ago, the manager of the group responsible for implementing the GUI for
Mozilla's crypto security decided that error details were unimportant, and
so, to save schedule time, he allowed his employee to do
a very incomplete job of producing error message strings for the various
error codes, and simply present a default string in all other cases that
says "for an unknown reason". We've been plagued with that ever since.
In all the years since then, it has never been important to Mozilla UI
folks to fix this. It seems to be an entrance requirement to get into GUI
design school. They ask you "is security UI design important?", and if
you say "yes", or even hesitate to say "NO!", you're out. ("HELL NO!" is
the preferred answer.)
So, here's what you do. Use one of NSS's command line tools to verify
your certificate chain for the email certificate usage, and see what it
says.
Thank you, Nelson. I have downloaded the NSS utils and used the
certutil. I have copied *.db files from Thunderbird's profile folder to
the same folder in which certutil and other utils reside. And I have put
both my CA certificate (ca_cert.der with subject address
mekova...@spam.la) and the user certificate (cert.der with subject
address mkur...@gmail.com), in the same folder.
Then I made this to validate my user certificate:
certutil -V -n mkur...@gmail.com -u -SR -e -l -d .
It said:
certutil: could not find certificate named "mkur...@gmail.com": security
library
: bad database.
So, apparently the user certificate wasn't in the database. I then tried
to verify the CA certificate:
certutil -V -n mekova...@spam.la -u -SR -e -l -d .
certutil: certificate is valid
Then I added the user certificate into the database and tried to verify
it again:
certutil -A -n mkur...@gmail.com -t Pug -d . -i cert.der
certutil -V -n mkur...@gmail.com -u -SR -e -l -d .
certutil: certificate is valid
This looks like Thunderbird cannot find the user certificate in its
database. Well, it shouldn't anyway, since it resides on the token
provided by a PKCS#11 module I am developing. However, in its properties
it says it couldn't verify the certificate for unknown reasons. And the
CA certificate is added into the authorities correctly. Any more ideas,
please?
M. Kurpel
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
