Nelson, I eventually stumbled through all of this -- the problem I ran into was some generic error about not having a valid cert. It turned out that, Multiple identities OR the fact that the incorrect one was first, prevented me from using the cert. Life is good now and I can sign emails. I am working on the encryption part.
The next problem I will have to work on is using the smart card to interface with PKCS enabled web servers. If I set everything up correctly, I should just be able to hit the website, after having entered my pin, and logon without being challenged, right? I also need to integrate this into a roles/ldap configuration. Have the cert verify against an LDAP attribute and then return me some roles. Oh yeah, and I have to be able to do this all on Linux. It's getting complicated. Christian Nelson B wrote: > Sideswipe wrote: > > Can some point me to some docs on how to import certs and and keys from > > a smart card in firefox and thunderbird? > > Not exactly. With FireFox and ThunderBird (FF/TB) you don't import certs > and keys from smart cards. Instead, you make FF/TB aware of them on the > smart card, and it uses them right on the smart card when it needs them. > > This is quite different from the MSIE approach, which imports the cert > from the smart card to the system's cert store (registry) where it may > stay, even after you remove the card. > > So, for FF/TB, the objective is to make sure that FF/TB can see the cert > on the card, and can use the key on the card. To do that you need to > > a) ensure the PKSC#11 module for the smart card is installed into FF/TB > and then > b) ensure that FF/TB can see the cert on the card, so that you can select > it for use in signing and/or encryption of email, and/or web authenticating. > > > Admittedly I am new to this so I need some step-by-step instructions. > > When you installed your smart card hardware and/or software, it should > have installed a software module (a "PKCS#11 module, in the jargon) into > FF/TB for you. You should be able to see it in FF's list of known > crypto modules. Go to > Tools -> Options -> Advanced (tab) -> Security Devices (button) > > There you should see a list of "Security Modules and Devices". > That list should include: > - NSS INternal PKS #11 Module > - Builtin Roots Module > and a third module, which is for your smart card. > If it does, then you're read for step b (listed above). > > Otherwise, you must "Load" the module for your smart card in this dialog. > To do that, click the "Load" button. Then type in a name for your module > (e.g. "NAME smart card module" where NAME is your product's name), and the > name of a PKCS#11 module file, e.g. mycoolpkcs11module.dll. You'll have > to get the name of the .dll file from your smart card maker or smart card > reader maker (if it has a separate reader). You only need to register > that module once, not every time you use it. > > Once your smart card module is loaded, and you can see it in that list of > "Security Modules and Devices", You will want to "Log in" to it using the > login button in that same "Security Modules and Devices" dialog. Then > you're ready for the second step. > > The second step is to look at the certificates in the smart card using > FF's Certificate Manger. When you're logged into your smart card, > then you should be able to see your smart card's certificate(s) (if any) > by going to the Certificate manager. Steps are: > Tools -> Options -> Advanced (tab) -> View Certificates (button) > > Then your smart card certificates shuold show up in "Your Certificates", > but they might show up in "Other Peoples' " certificates if FF cannot > find the private key on the smart card. > > If you see your cert there, you should be able to highlight it and click > on the "View" button to see all the gory (er, Wonderful ;-) details. > > Let's get that far before going on to the next step, getting this to work > in TBird. > > > Hope someone has some info for me > > > > Christian Bongiorno > > Ciao, > -- > Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
