On Wed, Jan 26, 2011 at 4:38 AM, Martin Boßlet <martin.boss...@googlemail.com> wrote: > > I want to authenticate to a server using TLS client authentication, so > I imported a PKCS#12 file for this purpose. > Unfortunately the certificate is from an internal CA that does neither > issue keyUsage, extendedKeyUsage > nor NetscapeCertType extensions.
If the client certificate doesn't have any of those extensions, NSS should allow all uses: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certdb/certdb.c&rev=1.109&mark=453,458-459,469-470#448 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certdb/certdb.c&rev=1.109&mark=692,703-705#691 > From reading previous posts I gathered that when selecting acceptable > certificates, an acceptable candidate > must contain the digitalSignature keyUsage and also the > extendedKeyUsage clientAuthentication. > I looked through NSS sources and found the following in certdb.c: > > case certUsageSSLClient: > requiredKeyUsage = KU_DIGITAL_SIGNATURE; > requiredCertType = NS_CERT_TYPE_SSL_CLIENT; > break; > > Is this the code that controls whether a certificate is considered as > a viable candidate? I think so. I am not familiar with that part of the NSS code, so I can't summarize the certificate selection algorithm. But I think a client certificate without any of those extensions should be allowed for all uses. I wonder if you didn't import the PKCS #12 file correctly, or it's missing a required intermediate CA certificate. Please open Tools > Options > Advanced > Encryption > View Certificates > Your Certificates. Does it show the client certificate you imported? Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
