Jamie wrote, On 2008-08-04 12:12: > I am attempting to allow users to import a PKCS#7 certificate chain into > their browser, but I see in the Mozilla developer docs that the certificates > in the PKCS#7 file must be ordered in a specific way (user certificate first > with the CA chain following)
I gather that you are trying to import a chain for a user's own cert, using MIME Content-Type application/x-x509-user-cert, yes? > For reference, I found this information here: > http://developer.mozilla.org/en/docs/NSS_Certificate_Download_Specification#Importing_Certificate_Chains > > The PKCS#7 standard doesn't specify certificate order, so > I'm wondering why this order is required to import a certificate, The Mozilla software wants to verify that the set of certs being imported contains a cert for which the user has a private key. It happens to check only the first of the certs for that property, rather than going down the list checking them all for that property. IMO, it would be a reasonable enhancement request to ask that it check all certs for one with that property. The code that does it is see at <http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp&rev=1.32#883> > and how it is even possible... to create a PKCS#7 file with the certs in a particular order? Just use software to create the PKCS#7 file that gives you that control. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
