joshuaaa wrote, On 2008-07-31 06:46: > If I understand correctly, to import a certificate from a .p12 file, > you first have to store the private key on the internal key storage > token before you can import the certificate. Is this correct?
No. A PKCS#12 file contains (or should contain) both a private key and the corresponding certificate. When you import it, you import both at the same time. The only prerequisites to importing a PKCS#12 are: - The pkcs12 file must contain a "friendly name" (a.k.a. "nickname") for the certificate that corresponds to the private key, and - the nickname must not "conflict" with a nickname already in the PKCS#11 token into which you are importing the cert and key. Let me explain what a "nickname conflict" is. A nickname conflict occurs when your pkcs12 file has the same nickname as a cert that is already in the PKCS#11 token into which you are trying to import it, BUT the subject name of the certificate with that nickname in the PKCS#11 token is not the same as the subject name of the certificate with that nickname in the PKCS#12 file. > I've been banging my head against the wall for the past couple of days > trying to figure out why I cant import a user certificate from JSS or > Javascript. It wasn't until I repeatedly got NoSuchItemOnToken > exceptions in JSS that it finally clicked, duh. Maybe the wrong thing clicked. :) But seriously, there is no prerequisite for a private key to already be imported before importing a PKCS12 file. Now, if you had a PKCS#11 token that was misbehaving, so that after you imported a private key (or cert) into it, that private key (or cert) could not subsequently be found in that token, that could cause the symptom you describe, I think. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
