Hi, I don't think it matters that your CA works offline. In fact many CAs work the sameway when dealing with cert requests. Most probable cause of problem is the signed cert itself. The fact that you can decode and printout the cert with openssl only suggest that is a properly encoded and probably valid(if you have chosen to verify signature) cert.
I don't think the reason of failure is related to key miss match as nss stores its private key indexing by hash value of matching public key. One of the possible reason could be that current nss version will reject any certs that have an extension marked as critical if such extension is unknown for nss. Did you try to import the cert with certutil? What was the error message and/or exit code? Martín Augusto Gagliotti Vigil wrote: > Hi, > > I'm not sure I have subscribed the right list for the sake of solving the > following problem, so if it's not pertinent then someone can let me know > where I could find a solution. :) > > As a college work I've been developing a CA which works offline. An user > access a website whose php/html code has a <keygen> tag inside a form. A key > pair is generated, the private key is stored in Mozilla's key3.db database > and the public key, in spkac format, is sent to my AC's database for being > signed later. My CA daemon connected to a HSM checks database, recovers the > public key, builds and signs a certificate and notifies that user about his > fresh certificate. He comes back to the website and gets his certificate. > > The user imports the CA's certificate in Mozilla's certs database > successfully: a dialog pops up asking for installing a new CA certificate. > However he can not import its issued certificate at all. This is the problem > I've been facing. > > It looks like the private key is well generated each time the browser reads > the <keygen> tag because I can list it using certutil tool. However, there's > no label assigned to private key what seems weird to me: > [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ certutil -K -d . > <0> > <1> > [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ > > The issued user's certificate looks ok too. I can print it out through > openssl x509 application. It's DER encoded. > > I've tried other CAs like Microsoft's and one at > http://www.primekey.se/primekey/en/Demo/Enroll.html. This one I submit an > online form, my mozilla generates a key pair and a certificate is imported. > I can even list that key and its related certificate: > [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ certutil -K -d . > <0> Martin Augusto's PrimeKey Solutions AB ID > <1> > <2> > [EMAIL PROTECTED]:~/.mozilla/firefox/2vyqwv9f.default$ > > The difference between Primekey's CA and mine is the way they work. Primekey > receives the public key, signes a certificate and gives it back instantly. > My CA receives the public key and signes a certificate later. I think the > problem is because the certificate is not matching a previous generated > private key when a user comes back to the website to get his certificate... > Do I need to use anything to make mozilla reminds the generated private key, > like a cookie? > > Does anyone have any clue or have faced that problem? > > I appreciate any hint. > > Have a great day, > > Martín Augusto - LabSEC www.labsec.ufsc.br _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
