Re: Friendlyname with ":" = certificate not usable on firefox

Tue, 19 Feb 2008 08:45:09 -0800 

On 19 fév, 11:58, Nelson Bolyard <[EMAIL PROTECTED]>
wrote:
> Sidjy wrote, On 2008-02-19 01:23:
>
> > it seems that importing PKCS12 certificates with a friendlyname
> > containing ":" characters has a strange behaviour : certificate is
> > successfully imported, and is visible in the certificate repository
> > (with its friendly name) BUT it is not usable for SSL authentication
> > (not listed in the certificate authentication dialog box).
>
> It's conceivable to me that the problem has something to do with the use
> of the colon (":") character, but I think a more likely explanation is
> that the certificate you imported is not issued by any of the CAs named
> by the server when it requests client authentication.
>
> When a server requests client authentication, it sends to the client a
> list of issuer names.  It says, in effect "if you have a certificate
> issued by any of these issuers, send that certificate to me".  It is a
> protocol violation for the client to send a certificate that is not
> issued by any of the issuers named by the server.  Mozilla follows
> that rule rigorously, and will only let you choose from among certificates
> that are issued by one of the issuers named by the server.  This is very
> different from IE, which will show you all your personal certificates,
> without regard to whether they are issued by one of the issuers named by the
> server.
>
> So, my first suspicion is that the list of issuer names that your
> server is sending to the client does not include the name of the issuer
> of the cert you're trying to use.
>
> You can read more about this on the 
> page:http://wiki.mozilla.org/PSM:CertPrompt

Thanks for your answer : I forgot to mention it, but actually the
certificate IS issued by a CAs named by the server.
I also tested client authentication on 
https://www.apache-ssl.org/cgi/cert-export
(which accepts any CA) : same behaviour.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to