I'm endeavouring to automate the installation of certificates into NS4.75+, NS6+ and NS7+ under various Windows flavours using the nss-3.6 binaries build for NS4 and NS6, and the nss-3.8 binaries build for NS7. These appear to be appropriate builds for the NS databases (NS4=cert7, NS6=cert7 and NS7=cert8). [snip]
I delete the three .db files, use modutil to create new files and then change the password.
why modutil? Typically one would create new files and set the password with the command certutil -N -d ...
> Then when I fire up Netscape and install the certificates from within the > browser,
Please explain what exactly you mean by "install the certificates from within the browser". Are you importing pfx files from IE? or are you getting certs directly from a cert server? or what?
> here's what I get (trimming out all but the relevant entries):
C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -L -d "C:\Program Files\Netscape\Users\leigh_harrison"
> ... snip ...
MyClient Root CA - MyClient Limited c,c,c
privateKey u,pu,u
MyClient HMSCert CA - MyClient Limited c,c,c
privateKey u,pu,u
Are you sure those are lower case "c", and not upper case "C"?
C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -K -d "C:\Program Files\Netscape\Users\leigh_harrison" -k "all" -f "dbpassword.txt"
<0> privateKey
<1> privateKey
Based on that output, I'd say you were using N4.x for that example, yes?
This works fine and I can connect to the issuer's site without problems.> -h "NSS Certificate DB"
If I then delete the three .db files again, recreate them, change the password and perform the following sequence programmatically, I get this:
C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>pk12util -i "c:\Projects\Certs\hms.user.blkcoff.cipher.pfx" -d "C:\Program Files\Netscape\Users\leigh_harrison" -W "userpassword" -K "dbpassword"
> -h "NSS Certificate DB"
C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>pk12util -i "c:\Projects\Certs\hms.user.blkcoff.signature.pfx" -d "C:\Program Files\Netscape\Users\leigh_harrison" -W "userpassword" -K "dbpassword"
C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -L -d "C:\Program Files\Netscape\Users\leigh_harrison"
> ... snip ...
MyClient Root CA c,c,
privateKey u,u,u
MyClient HMSCert CA c,c,
privateKey u,u,u
same question about case of "c".
What does the browser's certificate manager show about these user certs? Do they appear in the list of "your" certs? Do they appear valid for SSL?
C:\Projects\MyClient\NS utils\NSInstaller\NS4_NT4>certutil -K -d "C:\Program Files\Netscape\Users\leigh_harrison" -k "all" -f> "dbpassword.txt"
<0> privateKey <1> privateKey
That's surprises me. That looks like the output for a key3.db file
created by N4.x, not by the command line utilities. This makes me wonder certain things, such as:
a) are you certain that you deleted all 3 files, including key3.db before
reimporting the certs?
b) did you possibly leave the browser running while you did these steps?
It's vital that only one program at a time be using the DN files. You must not run the browser and any of the command line tools at the same time. If you didn that, then I suggest you start over and be careful not to do that. It's not enough to see the browser windows go away. Check the list of running processes and make sure the process is gone.
If I compare the detailed entries between the browser and programmatically -entered certificates at this point, almost everything matches. The keys are identical. The only significant differences (I thought) are the ones obvious above: Object signing flags: for the MyClient entries lacks "Valid CA", and Email flags: for privateKey lacks "Valid Peer".
I don't believe any of these things are relevant to your test. Your test was for SSL client authentication, so only the flags before the first comma are relevant. There's no point in trying to change those things, IMO, so I'll snip your discussion of the attempt to change those flags.
But! I can't get to that second privateKey entry because there are two with the same name.
That change is unnecessary.
> Nor can I find a way to massage the names of the
"MyClient" certificates.
When you import a cert with pk12util, the cert's "nickname" (a.k.a. "friendly name") is taken directly from the pkcs12 (pfx) file, and cannot be changed. In general, a cert's nickname cannot be changed after it is imported, regardless of how it was imported.
When I try to connect to the issuer's website using these programmatically-entered certificates, I first get a popup from the browser saying
No User Certificate
The site 'secure.MyClient.net' has requested client authentication, but you do not have a Personal Certificate to authenticate yourself. The site may choose not to give you access without one.
Assuming that you were testing with the same server both times, and its configuration did not change, the problem must be that the browser does not find one of the necessary components, including: 1) the user's cert 2) the complete chain of CA certs for the user's cert, 3) the private key for the user's cert
The browser's display of certs is the most reliable way to see what it sees. You should see your two user certs in the list of "your" certs, and the CA certs in the list of "signer" certs (assuming you're using N4.x).
Also, I wonder if you might have imported different CA certs the second time. Check the full subject and issuer name of each cert. Check the issuer name against the subject name of the issuing CA cert. Make sure you have the right CA certs in the chain.
-- Nelson B
