Re: Mozilla/Firefox certificate import error with CKA_LABEL

Fri, 27 Jul 2007 00:30:07 -0700 

Ulf Leichsenring wrote:
> I tried the following with Softtoken as you asked. I created two
> keypairs/certificates and exported them to PKCS#12.
> Both certificates have set the "cn=Ulf Leichsenring" but have different
> keyUsages (keyEncryption vs. digitalSignature).
> The My-AUT-cert.p12 has a friendlyName of "Ulf Leichsenring (AUT)" and
> the My-ENC-cert.p12 hat a friendlyName of "Ulf Leichsenring (ENC)".
> 
> First, I imported my AUT certificate into a new Softtoken using
> # pk12util -i My-AUT-cert.p12 -d .
> 
> Then I imported my ENC cert using
> # pk12util -i My-ENC-cert.p12 -d .
> 
> After that, I viewed the certificate store with
> # certutil -L -d .
> 
> And it showed me two entries named
> Ulf Leichsenring (AUT)                                       u,u,u
> Ulf Leichsenring (AUT)                                       u,u,u

The steps above imported the certs into NSS's softoken PKCS#11 module.
That module intentionally behaves as you see.

I understand your real concern is the ability to import the above two
certs (and their private keys) into another module, other than softoken.
I suggest you test that.  To do so, you need to add another command
line argument to the pk12util lines above, the option "-h tokenname"
where tokenname is the name of a token using your module, as reported
by NSS's modutil program.

Run NSS's modutil program to get a listing of known module, slot, and
token names.  If you don't see your module in that list, you need to
add your module to that list before you can proceed.  An example output
of modutil might look like this:

># modutil -list
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
>          slots: 2 slots attached
>         status: loaded
> 
>          slot: NSS Internal Cryptographic Services
>         token: NSS Generic Crypto Services
> 
>          slot: NSS User Private Key and Certificate Services
>         token: NSS Certificate DB
> 
>   2. eToken
>         library name: eTPKCS11.DLL
>          slots: 17 slots attached
>         status: loaded
> 
>          slot: AKS ifdh 0
>         token: eToken PRO

Then you would proceed with the pk12util commands, with the extra
argument
   -h "eToken PRO"

/Nelson

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to