Thanks for your brain power, but I found a combination that works.
That's encouraging!
I used the Mozilla 1.6 browser to create a new profile and load the PKCS#11 provider, used the command line tools from NSS 3.9 to add the CA's self signed certificate to the database, and now all of the certificates and their signatures will verify (via certutil.exe -V).
Moz 1.6 uses NSS 3.9, IINM. So, it's encouraging to know that a set of DBs built form the same release solves the problem.
Previously I used modutil.exe to create the database files and load the PKCS#11 provider, but certutil -V wouldn't verify the signature on any certificate whenever the smart card was plugged in.
What version of modutil did you use for that?
hHen modutil creates a set of DBs, it does't initialize the key DB the same as certutil does, which is why I always encourage people to create their DBs with certutil (or mozilla), and then use modutil to modify them, not to create them. But the content of the key3.db file shouldn't negatively impact NSS's ability to verify a cert chain.
Perhaps modutil and certutil initialize the secmod DB differently. That *could* affect the ability to verify a cert chain.
I'd very much like to have copies of both sets of cert, key, and secmod DB files, the set that didn't work, and the set that did work. Perhaps a detailed comparison of the two would reveal something.
If you email that to me, please do NOT email me the password that protects the key3.db. I don't want to compromise your keys.
/Nelson
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
