importCertxxx() puts the certificate on whichever token contains the cert's private key. This is a holdover from the days of Communicator, when you would go to Verisign, generate the key, then later get the cert and import it. I don't think there's a way to do what you want with NSS. Generally, NSS performs high-level, application-specific functions and doesn't allow such fine-grained control. This way application developers who don't understand the intricacies of the NSS implementation are less likely to shoot themselves in the foot. Assen Kolov wrote: > Hi all, > > can anybody help me with that? I want to place a certificate on a > certain PKCS#11 device. I see functions to examine certificates and > keys on the token, create key pair and a certificate request using > this pair, but how do you place eventually the certificate on the same > token? The CryptoManager.importCertXXX(...) methods take no token as > argument. > > A search through the sources shows some relation between functions > like PK11_ImportCert (it seems to be the only function that actually > places a certificate on a token), PK11_ImportCertForKey, > pk11_findKeyObjectByDERCert, > PK11_ImportCertForKeyJava_org_mozilla_jss_CryptoManager_importCertPackageNative > and eventually CryptoManager.importCertPackage, and there are several > lines that give hope: > > /** > * @param noUser true if we know that none of the certs are user > certs. > * In this case, no attempt will be made to find a matching > private > * key for the leaf certificate. > */ > private native X509Certificate > importCertPackageNative(byte[] certPackage, String nickname, > > Well, maybe CryptoManager.importCertPackage will just place a > certificate on the right token, but I can not find that mentioned > anywhere in the docs. I think I will have to walk through the code > with a debugger, but I would very much appreciate any information on > the topic. > > Can someone provide some details, please?
