Thomas Eitzenberger wrote: > The problem wasnt OCSP but was me not being logged in to my security device. > Now I see that this is probably something I MUST do but why does mozilla > complain about "for unknwon reasons" and does not simply ask me to login > to the security device ??
That's a bug. I'd guess it's in PSM, but might be in NSS. If you can explain how to reproduce it (without needing your exact databases), please file a bug report in bugzilla. > Anyway the view of my certificate now states that > > "The certificate has been verified for the following uses:" > SSL Client Certificate > SSL Server Certificate > Email Signer Certificate > Email Recipient Certificate > > So this looks great now :o) Yes. It looks better than it should. :-/ > However the same message appears when trying to encrypt a message I'm going to rearrange your post (to which I'm replying) here a little. You also included a copy of the cert. After looking at that, it was immediately apparent why mozilla doesn't think that's a good email cert. It contains no email address. mozilla requires that an email cert contain your email address. It also likes to see a "Common Name" in the subject name, for display purposes. Your cert's subject contains only 4 attributes, Organization Name (which mozilla recognizes), surname and given name (which mozilla does NOT yet recognize :-(, and some OID that I haven't found anywhere, but is the string "Z0001F0B". Is that a postal code? So, the only part of your cert's subject name that mozilla can recognize is your organization name. If you reissue your cert with an email address (either in the subject name or in an alternative subject name extension) and a Common Name attribute in the subject name, mozilla should be happy with it. The cert you previously forwarded, belonging to another user, a Mr. Schruef also had no email address. If you tried to send an email to him, mozilla would find no cert with a matching email address. So, the short story is: want email certs to work? Put email addresses in them. There's no point in commenting on the other issues we discussed until we know whether adding the missing email addresses solves the problem. I think you're close to the solution now. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
