Re: Rainbow iKey and Mozilla.

Wed, 27 Nov 2002 23:33:27 -0800 

Nelson B. Bolyard wrote:

Richard Piper wrote:


I am having trouble signing email with certificates stored on the iKey
2000 (OS=windows XP). The certificate/and device are visible in the
certificate and device manager respectively.

However, when nominating a certificate with which to sign email (email
prefs),  I get the error message "the certificate manager can not locate
a valid certifate".

The certificates contain a valid email address. And the CA is recognized
and authorized for email.

Whist I get this problem with the iKey token, the certificates work as
expected if placed in the "software device".

The problem occurs in Mozilla 1.1 and 1.2.

Several thoughts occur, may or may not help.

1. To sign an email, you need both a certificate and the corresponding private key in the same PKCS#11 "token", e.g. in your ikey or in your
"software device". If you have the cert, but not the private key, in your
iKey then you won't be able to sign with the ikey. 
Yes, it's OK. The private key is related to certificate. In iKey, the
private key is associated with the certificate.
2. mozilla presently requires you to have a cert (or pair of certs) that is valid for BOTH signing and encryption. If you have a cert that is good
for signing but not for encryption, and do not have a companion encryption
cert, then mozilla will not let you use the signing cert by itself. This is a known issue with mozilla. There is a bug filed about it.
It's a filed bug. Well, please inform us of the item. Thanks in advance.
3. There is presently a limitation in mozilla (actually in NSS, the crypto
library in mozilla) about having your personal cert (and private key) in
more than one PKCS#11 token (device) at the same time. If you want to sign with your iKey, then you should not also have the cert in the "software device" also.
The certificate can be loaded into object list with the specified template. And Mozilla can find it by PKCS#11 interface(FindObjects).
But the certificate must be trusted to Mozilla(I don't know the rule is what?). Else, Mozilla will complain that the certificate with mail account is not valid or trusted. Can you tell me what's matter with the case. And what means "software device"?

(I think that you may use iKey in Windows OS, which is about CSP. In mozilla, the interface is PKCS#11 of course. Two systems is not different completely.)

best regards,
Xu Yongjiang


Reply via email to