Dave Pinn wrote: > Nelson Bolyard wrote: >> A week after applying for his certificate, he download the certificate >> onto the same desktop box where he had generated the CSR, which combined >> the cert and private key in the same mozilla softoken module. Then he >> "exported" the cert and private key into a PKCS#12 file, which he then >> imported onto the notebook. That's how I read the description. >> >> Dave, if I misunderstood, please jump in here. :) > > It was as you have described, Nelson. The purchase process took me > through a wizard-like sequence of pages; at one step in that process, > the keys were generated and installed in Firefox. I don't know the > mechanics of how the keys were generated; I assume that it happened in > Firefox,
Yes, I'm rather certain it did. > but perhaps they were generated on the GateKeeper (CA) server > and downloaded into Firefox - could a web site initiate key generation > inside Firefox? Yes. There are two ways to do it: a magic html tag <keygen> and a javascript method (which is more flexible). > I am perplexed by something: the export-to-file wizard in ProtectTools > offers the user several file formats: DER encoded binary X.509 (.cer), > Base-64 encoded X.509 (.cer), Cryptograhic Message Syntax Standard > (.p7b), and PKCS#12 (.pfx). That last option, the PKCS#12 option, is > always greyed out (unavailable); why? Might it be that .pfx requires > that the private key be exported too? pfx files are PKCS#12 files, also known as .p12 files. The PKCS#12 standard does not require that private keys be included. But the main incentive to use PKCS#12 (as opposed to any of the other formats you named above) is to be able to transport certs and private keys together in one package. Most users think of p12 files as being their private key files. I think most users think that if they can export their cert into a .p12 file, they will then be able to import that .p12 file and get both their private key and cert out of it. So, I imagine the reason that this tool won't let you export a cert to pfx without the private key is to avoid later confusion when the user finds there's no private key in his .p12 file. I believe that Windows' certificate manager does the same thing, not allowing you to export to a pfx file when the private key has been marked unexportable. > I notice that in one scenario, the one where the private key is marked > 'not available' in ProtectTools, there appears a button in the > Certificate Viewer, labelled 'Install Certificate...'. > > Naturally, I push the button. > > I am led through the Certificate Import Wizard, whose introduction says, > "This wizard helps you copy certificates, certificate trust lists, and > certificate revocation lists from your disk to a certificate store." I think it's odd that it says "from your disk". That's pretty vague. But it's pretty clear to me that the "certificate store" to which it is referring is Windows' OS aggregated cert store. > I click Next > > I am asked to select a system area for storage of the certificate. I > select "Determine automatically based on the type of certificate". Windows has numerous places to store certificates. These are sometimes known as "physical stores". Some of them are in various places in the registry. Others are elsewhere. There are stores that are unique to each user (account) in Windows, and there are stores that apply to the whole system and all its usres. Various tools that come with Windows present the aggregated contents of these stores to the users, as if there was just one store, hiding the details of which of the "physical stores" really holds each cert or key. But when you go to put a cert into the store, you (or some software) has to actually pick one of the physical stores to hold it. > The wizard says, "The import was successful" > > I look around to see what has changed. Nothing. Not a thing. The private > keys are still marked as unavailable. I'll bet that if you look in Windows' cert store with Windows cert manager, you will find your cert there now, but would not have before doing this. You could probably delete your cert from Windows cert store, and then go through this process again, and see it return. Windows cert manager is a dialog you get to from within IE, Tools -> Internet Options -> Content (tab) -> Certificates (button) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
