Closed
Bug 201719
Opened 22 years ago
Closed 22 years ago
Client certificates imported in mozilla 1.2.1 are not available in 1.3
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: igor, Assigned: wtc)
Details
I have a client certificate generated by openssl via a script like:
#Command to generate a client certificate request.
openssl req -config clientconfig -newkey rsa:1024 \
-days 365 -keyout clientcertkey.pem -out clientcertreq.pem
#Command to sign the client certificate from a request
openssl x509 -req -in clientcertreq.pem -extensions v3_usr \
-CA clientrootca.pem -CAkey clientrootcakey.pem \
-days 365 -CAcreateserial -out clientcert.pem
openssl pkcs12 -export -in clientcert.pem \
-inkey clientcertkey.pem \
-out newcerts/$1.p12 -name "Customerbase Certificate"
where clientconfig is
[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = NINOgimp22
encrypt_key = no
[ req_distinguished_name ]
C = some-country
ST = some-town
L = some-town
O = some-company
OU = some-unit
CN = some-name
emailAddress = some-email
[ req_attributes ]
challengePassword = some-password
I imported this certificate in mozilla 1.0.1 (I checked the same procedure with
1.2.1 with the same result) and it was visible under Preferences->Privacy And
Security->Certificates->Manage Certificates->Your Certificates tab. It allowed
me to connect to SSL server without an problems.
Now when I run Mozilla 1.3, the certificates is no longer visible in the
Certificates dialog and connection to the site failed. To fix this I had to
export the certificate from 1.2.1 and then re-import the resulting .p12 file
back to 1.3 and then it worked ok.
I reported this initially in comments for the bug 200075, see comments 2 and 3.
|
||
Comment 1•22 years ago
|
||
Here's a guess about what happened.
1. You have multiple versions of mozilla installed on your box, or you have
uninstalled and reinstalled various versions.
2. At one point in time, you installed a version of mozilla that used NSS 3.7
which created a cert8.db file. That file contained copies of the certs you
had in your cert7.db file at that time.
3. Then later you ran an older version of mozilla, and you installed the
certificate with that older version. This installed the new cert/key in
cert7.db, but not in cert8.db
4. Thereafter, you were able to use the new cert/key in the older versions of
mozilla (which use only cert7.db) but not in the newer versions of mozilla
(which use cert8.db).
When you run a version of mozilla that uses cert8.db, if you have a cert8.db
file, it just uses that. If you don't have a cert8.db, and you do have a
cert7.db, then mozilla creates a new cert8.db that matches the contents of
cert7.db. So anything you add to cert7.db after cert8.db has been created
will not be visible to the code that uses cert8.db. But you can copy certs
and keys to cert8.db by exporting them with the old software and importing
them with the new software.
It sounds like this is what happened to you. Do you agree?
I'mleaving this unprioritized until we know the answer to that question.
|
|
Reporter | |
Comment 2•22 years ago
|
||
The above is indeed the case but I wish Mozilla would have a better reporting
about the reason of failed connection since it took me a lot of time to figure
out that connection failed due to missed certificate...
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•