Thank you so much for your help! I will look into submitting an enhancement request.
"Nelson B Bolyard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Jamie wrote, On 2008-08-04 12:12: >> I am attempting to allow users to import a PKCS#7 certificate chain into >> their browser, but I see in the Mozilla developer docs that the >> certificates >> in the PKCS#7 file must be ordered in a specific way (user certificate >> first >> with the CA chain following) > > I gather that you are trying to import a chain for a user's own cert, > using > MIME Content-Type application/x-x509-user-cert, yes? > >> For reference, I found this information here: >> http://developer.mozilla.org/en/docs/NSS_Certificate_Download_Specification#Importing_Certificate_Chains >> >> The PKCS#7 standard doesn't specify certificate order, so >> I'm wondering why this order is required to import a certificate, > > The Mozilla software wants to verify that the set of certs being imported > contains a cert for which the user has a private key. It happens to > check only the first of the certs for that property, rather than going > down the list checking them all for that property. IMO, it would be a > reasonable enhancement request to ask that it check all certs for one > with that property. The code that does it is see at > <http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp&rev=1.32#883> > >> and how it is even possible... > > to create a PKCS#7 file with the certs in a particular order? > Just use software to create the PKCS#7 file that gives you that control. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
