If I understand correctly, to import a certificate from a .p12 file, you first have to store the private key on the internal key storage token before you can import the certificate. Is this correct?
I've been banging my head against the wall for the past couple of days trying to figure out why I cant import a user certificate from JSS or Javascript. It wasn't until I repeatedly got NoSuchItemOnToken exceptions in JSS that it finally clicked, duh. I've only come across 1 java example that extracts information from a p12 file and it doesn't look fun! For the sake of limiting the amount of time that I bang my head against the wall, I figured I'd ask you folks a few things first. 1) I can remove user certificates from firefox through javascript by using the XPCOM nsIX509CertDB interface. However, I have not succeeded yet in importing a p12 file. When I do a CertDB.ImportPKCS12File(null, cert_file); it runs fine, asks for the password, I enter the password, and then I get an alert that reads "Failed to restore the PKCS #12 file for unknown reasons". I don't know if this is because the private key is not already stored in a token, but that doesn't make a whole lot of sense to me, I would imagine it knows what to do with the p12 file (ie get the certificate and keys). Can anyone shed some light on this? 2) I know that writing to the database while firefox is running is bad, but is it only bad when you are adding/removing certificates? The real question is, will it corrupt the database if firefox is running and I run a java application that adds a private key to the key storage token? 3) How does NSS relate a particular private key on a token to a certificate? Is the process as simple as: open a p12, get the private key, add private key to token, import certificate and give it nickname? I would imagine there is more to adding the key to the token than just passing the key to the token? I would like to accomplish this through the use of javascript, but jss is an option if this can be done while the browser is running. If anyone has done something similar, please get in touch with me. As always, thanks for the help. Josh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
