On Friday, November 23, 2018 at 12:02:57 PM UTC+1, Kai Engert wrote: ... > > How did you learn that TB refused it? > > In account settings, security tab (not openpgp security tab), if you > click a select button, does TB offer you to use that certificate? >
The usual way: Set one of the above mentioned email addresses in TB account settings, then choose S/MIME settings, choose Select and dialog appears: Zertifikateverwaltung kann kein gültiges Zertifikat finden, das verwendet werden kann, um Ihre Nachrichten mit der Adresse <myuid>@<companydomain> digital zu unterschreiben. (sorry for german, my current locale is set to DE.) same happens with <myemailname>@<companydomain>. > If it isn't offered, your certificate doesn't have the properties that > TB expects. It would be helpful to see a full dump of the properties of > your certificate. Does it include a certificate key usage extension that > allows both digital signature and data encipherment? > That is exactly what I am looking for: Where are the certificate requirements specified other than in TB source code? I then would like to instruct our PKI to add/change missing extensions, fields, or anticipated X500 name formats. I general: that is one of the big shortcomings of PKI, that any software is free to define what part and how they accept the standards, see Chrome's subjectAlternativeName requirement for hostnames in server certs. While MS Outlook accepts it, TB doesn't. Not much of a help when promoting PKI company wide using multiple OS platforms. Regards Martin $ openssl x509 -in <cert> -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 39:00:00:3c:54:95:ad:db:bc:c1:71:d6:08:00:00:00:00:3c:54 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = <companydomain>, CN = <companycaname> Validity Not Before: Nov 22 11:30:54 2018 GMT Not After : Nov 21 11:30:54 2020 GMT Subject: CN = <myuid>@<companydomain> Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:da:8b:e3:76:af:14:8d:f3:eb:8c:22:53:25:af: de:ca:a6:8e:0d:87:80:1a:54:41:ad:1e:85:d6:96: 25:c4:3e:de:f3:44:4c:47:44:43:cc:44:ba:c4:a6: ae:c6:85:19:6a:79:a7:eb:24:c5:a4:72:88:d0:cf: b9:c0:94:e1:ec:0b:a9:ab:80:a2:1f:0f:30:72:4e: 4f:bb:dd:d5:90:b3:81:2d:37:dd:98:a6:4d:a5:6b: 11:6a:52:05:37:a5:83:20:94:53:52:ee:02:10:79: 8c:e8:1f:ce:c4:dd:44:53:c6:2d:41:57:24:7a:18: 44:31:21:13:ef:17:45:d3:73:c7:f9:0d:bc:f0:71: ec:7a:54:ce:ba:78:08:93:78:32:31:cb:f4:af:8b: 02:4a:69:fe:83:69:14:ee:f5:dd:6c:2e:b1:df:56: a6:77:1c:ca:38:29:62:f4:a8:af:78:7c:a4:75:33: 2f:4f:9d:1c:ac:20:ae:f1:6b:e1:a3:02:8d:d5:a9: b2:10:b6:3e:ea:7e:45:de:10:94:06:92:79:99:40: 41:aa:ca:70:fe:e6:83:bd:39:8f:67:05:5e:80:6d: 8d:20:c2:2b:58:dd:74:69:ee:62:aa:9c:94:01:95: 46:b7:51:89:53:65:91:7c:76:b6:3e:6d:21:06:c7: b9:4d Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.7: 0+.#+.....7.........a...5..R...(....5.)..d... 1.3.6.1.4.1.311.21.10: 0.0 ..+....... X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication S/MIME Capabilities: ......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0 ..*.H.. X509v3 Subject Key Identifier: EA:CB:7D:C9:38:C9:9A:AF:17:0F:42:74:E5:68:6B:B0:4A:CA:09:49 X509v3 Subject Alternative Name: DNS:vpn.<companydomain>, DNS:vpn2.<companydomain>, DNS:vpn-ro.<companydomain>, email:<myemailname>@<companydomain> X509v3 Authority Key Identifier: keyid:69:27:1E:8A:1F:66:7B:EB:45:A1:EE:DC:58:C5:FB:15:AD:EC:C0:C8 X509v3 CRL Distribution Points: Full Name: <hidden> <hidden> Authority Information Access: CA Issuers - <hidden> CA Issuers - <hidden> Signature Algorithm: sha256WithRSAEncryption 52:1c:7e:ff:53:4e:5a:d9:ee:36:08:23:a3:f6:ea:31:9e:cc: 5f:a5:46:9a:f3:39:51:4f:61:48:8e:0c:86:0d:84:95:b7:02: 95:17:2d:a4:f4:0d:37:e6:05:f4:60:1a:d4:71:fd:57:13:88: 71:45:73:12:a5:0e:e8:e5:e3:af:b5:a1:c2:04:86:c7:83:52: f5:58:65:0c:ea:99:74:dc:25:f3:bb:46:ac:42:d4:d9:cb:4d: 80:2e:f3:1c:73:3f:77:08:b2:b3:0c:0c:3f:c3:9b:db:44:47: d4:24:37:20:c3:df:67:22:fb:00:e2:85:5d:a2:48:ca:df:a0: 00:d2:ae:0d:d6:54:12:28:1b:cb:64:76:58:27:d6:c0:d9:6e: d8:70:14:1d:8a:d4:13:ce:ee:24:03:ac:6e:64:5d:1e:9f:ad: 50:c4:09:c0:d5:41:cf:c7:2d:6a:f5:d6:96:df:cb:ae:66:a9: 63:24:f3:98:ea:30:d0:11:21:0b:24:d5:f3:72:fd:bc:96:73: 32:ed:fd:63:bc:9c:4e:3a:2f:64:57:7c:d6:51:12:d0:ed:ca: 52:b0:69:93:f3:a1:ba:58:97:ab:d9:42:2d:27:e7:f6:38:e9: e9:0d:89:54:c3:4d:2f:62:cf:f8:29:d3:f2:92:a6:5a:ec:05: 98:5a:b4:a7 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto