On 07/27/2015 12:54 AM, Trick, Daniel wrote:
Thank you a lot for clarification, Kaspar!So, by design of NSS, all certificates with the same DN will end up with the same nickname. And the very first certificate with a specific DN will set the nickname for all other certificates (with that same DN).Now, I see that this works as long as we have one certificate for encryption, one for signing and one for auth. The application (e.g. Thunderbird) still picks the correct certificate, probably by looking at the key usage flags, although they all have the same name.But how am I supposed to deal with the situation that the users gets a "new" certificate for the same DN? If there are several certificates for, e.g., encryption, all with the same DN - and thus also with the same nickname - how do we distinguish?
NSS returns the newest cert valid cert for the given operation.
(I'm asking this, because I also need to be prepared for the case that user certificates are "refreshed" when they expire - or shortly before they expire. So, for a limited amount of time, we may need to keep the "old" /and/ the "new" certificate in the store)
Yes, that's pretty common, including in Thunderbird (where you have a lot of old encryption certs).
There are not so good, and not uncommon corner cases to watch out for: If you have 2 certs with the same DN, but different rolls where both are active at the same time, you can't use nicknames to select the cert. If you want to delete a cert, you can't use nickname to uniquely identify the cert you want to delete. When you need fine grain control, the application should use issuer/serial number to identify the cert (I think all the mozilla apps have gone to this now).
bob
Regards, Daniel Am 26.07.2015 um 08:38 schrieb Kaspar Brand:On 20.07.2015 14:05, Trick, Daniel wrote:I'm facing a new problem regarding pk12util from NSS Tools: When I import the _first_ certificate of a user into the database with pk12util, then certificate's name in the NSS database will be: *NSS Certificate DB: <friendly_name_taken_from_p12_file> * Okay, but as soon as I import the _second_ certificate (or any furthercertificate), it won't be added to the DB with a distinct name. Instead,the entry that was created when importing the _first_ certificate will appear several times! :-\[...]*Is this an intended behaviour of pk12util, and if so, how can I achieve the required result? If it's *not* intended and actually a bug, should Ifile a bug report now?* *Yes, it is by design. All certificates with the same subject DN are expected to share a common nickname, otherwise you would end up with acorrupt DB, see e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=594297.Kaspar
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
