Gerd Schering wrote: > 1) I have three different certs from two distinct CAs. If I dump > cert7.db with > > ./certutil -L -d $HOME/.mozilla/gerd4000/nzt72va1.slt > > only two show up: > > [EMAIL PROTECTED] ,p, > [EMAIL PROTECTED] u,pu,u
How did you get this cert (or these certs) into the cert DB? Did you get it from an on-line certificate authority via the mozilla browser? Did you import it in a PKCS 12 file (.p12) or some other type of file? If you imported it, did the file from which you imported it specify the "nickname" (a.k.a. "friendly name") of the cert as being just the email address? It appears that what you have here is a cert DB with two records (a "nickname" record and an SMIME profile record) that point to the same cert and have the same names. Generally, nickname records should not have just the email address as the name. SMIME profiles always have just the email address as the name. When the nickname and the SMIME profile have the exact same name, certutil uses the first one it finds. A nickname record can point to multiple certs with the exact same subject name, but not to multiple certs with different subject names. So, if you have multiple certs with different subject names, but the same email address, and the nicknames for all those certs are just the email address, the nickname record can only point to one of those certs. The others may be in the database, but the nickname record cannot point to them all. So, nicknames should contain enough of the subject name attributes to be unique, not merely the email address. > What do the u's in the second line mean? The u's mean that your key3.db file has the private key that goes along with this certificate. I believe that information is generally associated with nickname records, and not with SMIME profiles. > If I try to examine the certs with > > ./certutil -L -n [EMAIL PROTECTED] -d > HOME/.mozilla/gerd4000/nzt72va1.slt > > only one cert gets displayed. > Where are the others? I think this is because all the certs were given the same nickname, which was just the email address. If each cert was given a different nickname, they would each appear on separate lines. The question is, what piece of software caused all the certs to have the name nickname? That should be fixed, IMO. > Thanks for your answers, > Gerd -- Nelson B
