Hi, I'm not sure I have subscribed the right list for the sake of solving the following problem, so if it's not pertinent then someone can let me know where I could find a solution. :)
As a college work I've been developing a CA which works offline. An user access a website whose php/html code has a <keygen> tag inside a form. A key pair is generated, the private key is stored in Mozilla's key3.db database and the public key, in spkac format, is sent to my AC's database for being signed later. My CA daemon connected to a HSM checks database, recovers the public key, builds and signs a certificate and notifies that user about his fresh certificate. He comes back to the website and gets his certificate. The user imports the CA's certificate in Mozilla's certs database successfully: a dialog pops up asking for installing a new CA certificate. However he can not import its issued certificate at all. This is the problem I've been facing. It looks like the private key is well generated each time the browser reads the <keygen> tag because I can list it using certutil tool. However, there's no label assigned to private key what seems weird to me: [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ certutil -K -d . <0> <1> [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ The issued user's certificate looks ok too. I can print it out through openssl x509 application. It's DER encoded. I've tried other CAs like Microsoft's and one at http://www.primekey.se/primekey/en/Demo/Enroll.html. This one I submit an online form, my mozilla generates a key pair and a certificate is imported. I can even list that key and its related certificate: [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ certutil -K -d . <0> Martin Augusto's PrimeKey Solutions AB ID <1> <2> [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ The difference between Primekey's CA and mine is the way they work. Primekey receives the public key, signes a certificate and gives it back instantly. My CA receives the public key and signes a certificate later. I think the problem is because the certificate is not matching a previous generated private key when a user comes back to the website to get his certificate... Do I need to use anything to make mozilla reminds the generated private key, like a cookie? Does anyone have any clue or have faced that problem? I appreciate any hint. Have a great day, Martín Augusto - LabSEC www.labsec.ufsc.br _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
