Dave Pinn wrote: > I'm newish to security issues, so be gentle with me. > > I bought a digital certificate, and installed it on my TPM chip. I have > loaded the relevant PKCS #11 module in Thunderbird; however, the > certificate on my TPM chip does not appear in Thunderbird's Certificate > Manager.
Have you looked in all of cert manager's tabs? > I know that Thunderbird is accessing the PKCS#11 module, > because it asks me for my TPM password when I open Certificate Manager. Your cert won't show up in "Your certificates" unless TBird can also find the private key as a PKCS#11 object, with the same CKA_ID value as the cert (and/or public key) object(s). If you find your cert in one of the other tabs, it means that TB couldn't find the private key that corresponds to your cert. > After reading the posts in this group, I checked that the certificate > has a nickname (Yes). Modern certificates contain data elements called extensions. There are "well known" extensions, that everybody uses, and there are other extensions, less well known, and there may be extensions completely unknown to TBird. Extensions may be marked "critical" (or not). When an extension is marked critical, this tells the relying software (such as mozilla/FF/TB) "Don't use this certificate at all, unless you fully understand the format and meaning of this extension". So, if your cert has an unknown critical extension, mozilla/FF/TB will ignore it. Best bet is to get a formatted listing of the certificate itself, showing all the extensions and their criticality. pk11util's new -l (ell, for list) option would show you ALL the necessary info to debug this issue, I think. > I'm wondering if it could have something to do with certificate > purposes: my certificate says that it is intended for "All application > policies", but doesn't specifically list e-mail signing as an intended > purpose. That might cause the cert to be listed as unverified, or even invalid, but should not cause the cert to disappear completely. > I don't have to import the certificate into Thunderbird separately, do > I? I mean, it should stay in the TPM, and Thunderbird should be able to > see it, right? Depends on the intended uses of the cert, and whether TBird has any matching uses. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
