Re: Step-by-step instructions on creating test email certificates
Neil wrote, On 2008-02-22 03:05: Here is what I got to work, loosely based on instructions from Kai Engert: cvs -d :pserver:[EMAIL PROTECTED]/cvsroot co mozilla/nsprpub mozilla/security/nss mozilla/security/coreconf mozilla/security/dbm mozilla/dbm make -C mozilla/security/nss nss_build_all Then, in the profile directory run these commands: certutil -d . -S -n example-ca -s CN=ExampleCA,O=ExampleOrg,L=ExampleLoc,ST=ExampleState,C=US -t C,C,C -x -m 0 -w -3 -v 99 -5 certutil -d . -S -n user -s CN=User,O=ExampleOrg,L=ExampleLoc,ST=ExampleState,C=US -c example-ca -t p,p,p -m 40 -v 60 -5 I was then able to create an additional identity for [EMAIL PROTECTED] and specify that certificate for signing/encryption. That user cert you created doesn't have an email address in it. Consequently, there is no way for the identity configuration code to automatically identify it as a candidate for the identity. The code that configures certs for the identity (and presents certs to the user, if a choice is necessary) should give preference to certs with an email address that matches the identity's email address. There are two ways to add an email address to your user cert, the modern standards-compliant way, and the old de-facto standard way. Modern way: Add to your command line this additional option: -7 [EMAIL PROTECTED] Old way: Prepend this to your cert subject name (before the CN=) [EMAIL PROTECTED], I suggest you try both (in separate certs). Oh, and one question. Is that p,p,p really necessary? The 'p' override flags should not be necessary. Please try -t ,,. /Nelson ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Nelson Bolyard wrote: That user cert you created doesn't have an email address in it. Sorry, my bad; I couldn't cut and paste and I overlooked the [EMAIL PROTECTED], in the command line for the email cert. I suggest you try both (in separate certs). They both seem to work, but I like the cert the modern way produces best. Oh, and one question. Is that p,p,p really necessary? The 'p' override flags should not be necessary. Please try -t ,,. Yes, that seems to work too. -- Warning: May contain traces of nuts. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Neil wrote, On 2008-02-22 06:38: Nelson Bolyard wrote: That user cert you created doesn't have an email address in it. Sorry, my bad; I couldn't cut and paste and I overlooked the [EMAIL PROTECTED], in the command line for the email cert. Ah, yes, That's yet a third way, even older than the old way. :) The E attribute identifier was never adopted by the IETF. They adopted the MAIL attribute instead. I suggest you try both (in separate certs). They both seem to work, but I like the cert the modern way produces best. Oh, and one question. Is that p,p,p really necessary? The 'p' override flags should not be necessary. Please try -t ,,. Yes, that seems to work too. Thanks for testing. Glad it worked for you. /Nelson ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Nelson B Bolyard wrote: Neil wrote, On 2008-02-20 16:33: It seems that building SeaMonkey will include certutil Do SM builds build all the NSS commands? That seems like a big waste. Sorry, I hadn't looked closely enough, I see that I have the source, but the first step would be to build certutil ;-) Would someone mind providing a command line that will do the job, preferably installing the certificate directly into my test profile (with the test email address [EMAIL PROTECTED])! Tell us a little more about the certs you want. Self signed? Self signed is fine; I'm not actually going to send mail with them, I just need to test the UI! -- Warning: May contain traces of nuts. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Neil wrote, On 2008-02-20 16:33: I've been asked to review a patch that enhances the multiple identity UI in Thunderbird/SeaMonkey by allowing email certificates to be selected on a per-identity basis, rather than just for the main identity. It seems that building SeaMonkey will include certutil Do SM builds build all the NSS commands? That seems like a big waste. which looks as if it is more than capable of the task but unfortunately the raft of options make no sense at all to me nor was I able to find any examples of creating email certificates. Would someone mind providing a command line that will do the job, preferably installing the certificate directly into my test profile (with the test email address [EMAIL PROTECTED])! Tell us a little more about the certs you want. Self signed? Issued by a CA? The rest we can probably guess /Nelson ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Nelson B Bolyard wrote: Neil wrote, On 2008-02-20 16:33: I've been asked to review a patch that enhances the multiple identity UI in Thunderbird/SeaMonkey by allowing email certificates to be selected on a per-identity basis, rather than just for the main identity. It seems that building SeaMonkey will include certutil Do SM builds build all the NSS commands? That seems like a big waste. Funny, but I mailed Neil privately with some suggestions, but I'd be really interested to know about which bug this is. Specially also what means by per-identity basis compared to main identity. Just to get the feeling about what this is about... -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Step-by-step instructions on creating test email certificates
Eddy Nigg (StartCom Ltd.) wrote, On 2008-02-20 18:39: Nelson B Bolyard wrote: Neil wrote, On 2008-02-20 16:33: I've been asked to review a patch that enhances the multiple identity UI in Thunderbird/SeaMonkey by allowing email certificates to be selected on a per-identity basis, rather than just for the main identity. It seems that building SeaMonkey will include certutil Do SM builds build all the NSS commands? That seems like a big waste. Funny, but I mailed Neil privately with some suggestions, but I'd be really interested to know about which bug this is. Not sure, but I think it's this bug: Bug 252250 – Incorrect handling of S/MIME keys with multiple identities (need UI for per-identity cert settings) ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
