Sidjy wrote, On 2008-02-19 01:23:
> it seems that importing PKCS12 certificates with a friendlyname
> containing ":" characters has a strange behaviour : certificate is
> successfully imported, and is visible in the certificate repository
> (with its friendly name) BUT it is not usable for SSL authentication
> (not listed in the certificate authentication dialog box).
It's conceivable to me that the problem has something to do with the use
of the colon (":") character, but I think a more likely explanation is
that the certificate you imported is not issued by any of the CAs named
by the server when it requests client authentication.
When a server requests client authentication, it sends to the client a
list of issuer names. It says, in effect "if you have a certificate
issued by any of these issuers, send that certificate to me". It is a
protocol violation for the client to send a certificate that is not
issued by any of the issuers named by the server. Mozilla follows
that rule rigorously, and will only let you choose from among certificates
that are issued by one of the issuers named by the server. This is very
different from IE, which will show you all your personal certificates,
without regard to whether they are issued by one of the issuers named by the
server.
So, my first suspicion is that the list of issuer names that your
server is sending to the client does not include the name of the issuer
of the cert you're trying to use.
You can read more about this on the page:
http://wiki.mozilla.org/PSM:CertPrompt
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
