In other words, the SSL code in the browser wasn't able to extract a valid public key from the server's certificate.
The problem is client side. The certificate stored on the card does not have the ns certtype extensions. Mozilla seems to recognized only certificates with this extensions set and not the widely used standard extension emailprotection (OID: 1.3.6.1.5.5.7.3.4) and clientAuth (OID: 1.3.6.1.5.5.7.3.2), as Navigator did.
The error code you gave, -12221, is a very specific error code. It means that mozilla had a certificate (could be your certificate, could be the server's certificate), and could not get the public key out of the certificate. That particular error is not caused by the presence or absence of extensions. Extensions play a role in the selection of certificates and the validation of certificate chains, but not in the extraction of public keys from the cert. You can't get this error code unless the cert has been found/selected.
This error usually means that there was a problem with the ASN.1 encoding of the cert, or that the key values extracted were invalid or unsupported in some way, e.g. being for an unsupported public key algorithm.
Perhaps your cert's subjectPublicKeyInfo component has the wrong OID for the public key algorithm?
or Perhaps you really got some other error code?
Was your cert perhaps using a DSA public key rather than RSA?
Thank you anyway for your help.
Please post any followup messages to netscape.public.mozilla.crypto. The crypto people read that group more than this one.
-- Nelson B
