Maybe my googling skills are weak, but I found no information on how to get NSS to use keys from the Windows keystore. In the end, I decided it's probably a violation of the NSS paradigm anyway. It seems the intent is to use the NSS database as the sole repository of certs and keys. Especially in FIPS mode.
If that's not correct, I would love to know how to do that. Anyone? So, once I used pk12util to import a p12 into NSS I was able to get 2-way SSL, or client-authenticated SSL, to work using the javax.net.ssl classes. That is, configure the NSS provider as described in the Java 8 docs referenced above then build an SSLContext and so on, as usual. Now my problem is how to choose among multiple certs. If there's more than one cert that matches the server's set of issuing CAs, the system just picks the first one. If I try to provide my own KeyManager so I can override its chooseClientAlias method I get an error: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used Is there any way around that? Thanks! Merlin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
