Closed Bug 537657 Opened 15 years ago Closed 9 years ago

If more than 2 certificates from same CA are installed only the first 2 ones can be selected in Accounts Seetings -> Security

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 278689

People

(Reporter: u368318, Unassigned)

Details

(Whiteboard: [psm-cert-manager])

Attachments

(4 files, 1 obsolete file)

image of cert manager from Richard
63.69 KB, image/jpeg
Details
image of cert selection from Richard
55.00 KB, image/jpeg
Details
zip file of all of Richard's certs, plus the Trustcenter cert chain
16.02 KB, application/zip
Details
Screenshots of certs in new profile
666.53 KB, application/pdf
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0

I have installed three "TC TrustCenter Class 1 L1 CA IX" S/MIME certificates for three different email addresses. 
Under Tools->Options->Advanced->Certificates all 3 all installed correctly. All are visible and can ve viewed as expected.
But under "Account Settings"->"Security" only the two first installed certificates from a CA are selectable for Digital Signing and Encryption.
More Details:
- I have more S/MIME certificate installed than these 3. For example 2 Verisign Certificate. Both are selectable in addition to the 3 Trustcenter Certificates.
- The 3 corresponding emails are installed in the sort order: .eu, .net, ,tel -> .tel certificate is not selectable.
-.eu and .net are one account; .tel is the second account.


Reproducible: Always

Steps to Reproduce:
1. Install 3 certificates from same CA type
2. Try to select the third certificate in Account settings-> Security
3.
Actual Results:  
Only the first 2 certificate of one CA type is selectable under account settings-> security

Expected Results:  
All installed certificate should be selectable under account settings-> security

Currently I only have Thunderbird 3.0 from portable apps installed
Version: unspecified → 3.0
Are the ones not selectable related to non primary identities ?
Component: Account Manager → Security
QA Contact: account-manager → thunderbird
(In reply to comment #1)
> Are the ones not selectable related to non primary identities ?

No, it seems to be a kind of sort order problem. My 3 email addresses are
name@sld.eu -> default account=1. primary identity
name@sld.net -> additional email for name@sld.eu account
name@sld.tel -> second account=2. primary identity

In this configuration name@sld.tel is not visible under account
settings-> security

If I remove name@sld.net in certificate manager name@sld.tel becomes selectable.
Sorry
right order it certificate manager
name@sld.net -> additional email for name@sld.eu account
name@sld.eu -> default account=1. primary identity
name@sld.tel -> second account=2. primary identity

Rest was ok:
In this configuration name@sld.tel is not visible under account
settings-> security
If I remove name@sld.net in certificate manager name@sld.tel becomes
selectable.
Did another test. Create new certificate, also from  free TrustCenter -> Internet ID for privat use
http://www.trustcenter.de/products/tc_internet_id.htm

The new one is listed first in certificate manager:
aname@sld.net -> second account=2. primary identity
name@sld.net -> additional email for name@sld.eu account
name@sld.eu -> default account=1. primary identity
name@sld.tel -> second account=2. primary identity

In this configuration also only two certicates are shown under account
settings-> security: aname@sld.net and name@sld.eu
Is this in Thunderbird code or PSM code?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2pre) Gecko/20100115 Lanikai/3.1a1pre

I just tried to replicate this problem and cannot.  I have three certs from the same issuer and they (and several others) show up for signing in the UI.

Can you upload the certs in question? I wonder if one of them is not really usable for signing.  Also, if you could upload any screenshots that might help as well.
I get the same behavior with new 3.0.1 (regular, non portable) in a fresh installation (no extensions, etc.)

I am new to bugzilla. How can I upload files? For now on my site
http://www.graessler.eu/bugzilla/CertificateManager.jpg
http://www.graessler.eu/bugzilla/SelectionSecuritySettings.jpg

How can I upload certs. I was told to get them secrete?
Probably something is wrong with the certificates
I created 5 new Class 1 certificate from https://www.startssl.com/ and all 5 are visible in Selection. Everything works fine.
(In reply to comment #7)
> How can I upload certs. I was told to get them secrete?
There are two things to consider: Certificates, and private keys.  Certificates are not secret and you can safely give them to people. In fact, when you digitally sign an email, TB sends a copy of your certificate to the other person. 

The private key is, of course, something you want to keep secret. 

When you view a certificate (for example, Prefs/Advanced/Encryption/View Certificates/Your Certificates) Go to the Details tab, and notice the Export button. You can export the certificate and chain to a format called PEM. That will only export the certificate and not the private key. If you wanted to you could upload such a PEM file.

There is another format called PKCS#12 that allows you to export a certificate and its associated private key.  You do *not* want to upload that kind of file (in general, though there could be some exceptions). 


(In reply to comment #8)
> Probably something is wrong with the certificates
> I created 5 new Class 1 certificate from https://www.startssl.com/ and all 5
> are visible in Selection. Everything works fine.

My guess is that the one certificate that did not show up as being available for signing is not an S/MIME cert.  I'm going to mark this bug as resolved for the moment, but if the problem persists in other areas please reopen it and we can dig in a little more.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
@Bob: Thank you for your help. If you still like to check the certs here are the 4 pem files from my Certs. I will the StartCom Certs in the future.

-----BEGIN CERTIFICATE-----
MIIFOzCCBCOgAwIBAgIOcBIAAQACXUK1UJBdFwkwDQYJKoZIhvcNAQEFBQAwfDEL
MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNV
BAsTHFRDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRy
dXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwHhcNMTAwMTA3MTk1NzA4WhcNMTEw
MTA4MTk1NzA4WjApMQswCQYDVQQGEwJERTEaMBgGA1UEAxMRUmljaGFyZCBHcmFl
c3NsZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHx1CpSOYpPSe1
+H5mg6NSaiekRP4vtz/08zpzNRz/9WOVMLLS/aNGRQLlfgRQqGHRFiMB604wd1+C
g49Da+E+FfBGJXSlbbsnlLQtf1xy/uP7UunkGqUnfGZ14qx4cfoVqCe7/um/pZf5
s6Eamt/qwHnBHIeIpQnmTXclJ+V1a1ii02aJEmOKKhK3vtNbQXESG0vLvzDnYFrw
ZGRpN7gfJQ0T47pstOzpsj8/Lt25UQ7a85hnHHxbeMh9YdiXAVndKrwuWhC5Zqvh
MK9kLPsxqv4Da6OqFRWBRoWdh67f9Gr8SL5IbmYBTjGv3vfrnthFN1Bs5XjH0VjQ
QXmS4Z3rAgMBAAGjggIMMIICCDCBpQYIKwYBBQUHAQEEgZgwgZUwUQYIKwYBBQUH
MAKGRWh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2Vy
dHMvdGNfY2xhc3MxX0wxX0NBX0lYLmNydDBABggrBgEFBQcwAYY0aHR0cDovL29j
c3AuaXgudGNjbGFzczEudGN1bml2ZXJzYWwtaS50cnVzdGNlbnRlci5kZTAfBgNV
HSMEGDAWgBTpuCgdRs/8zfhOm8XuS2Dr2Ds/0TAMBgNVHRMBAf8EAjAAMEoGA1Ud
IARDMEEwPwYJKoIUACwBAQEBMDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1
c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYE
FBrim89WlPe/S1AbtQjgJwkZ9TufMGIGA1UdHwRbMFkwV6BVoFOGUWh0dHA6Ly9j
cmwuaXgudGNjbGFzczEudGN1bml2ZXJzYWwtaS50cnVzdGNlbnRlci5kZS9jcmwv
djIvdGNfQ2xhc3MxX0wxX0NBX0lYLmNybDAzBgNVHSUELDAqBggrBgEFBQcDAgYI
KwYBBQUHAwQGCCsGAQUFBwMHBgorBgEEAYI3FAICMBsGA1UdEQQUMBKBEG5pY0Bn
cmFlc3NsZXIuZXUwDQYJKoZIhvcNAQEFBQADggEBAGhpb1eFOdbDsCjDYSsZY+95
Gu6lRdATKH7a38MNjiPF+JDVNc4jHd9Fvr9hGJ6FruyuQhkVtN4asEpBe3BDtR+E
rGATGj4+m2jTZ15X1eJCK1M5fRGWYJR5Rt6JU5UKojkIHCTujwTl/gIVV9NyjMLk
hDvVG+YYK1LEqX4GUgW7aGJo6Og00gRs71mFwITUPub03lEjVQKcmKysj0c1lcoz
q4kn267iCUskl/0Zpht4en9voe4uszjnzlk43ERmF8hnF7Utm3Xs0lDO3bTp4b3Q
k5ie5nU4oh0X5QSKfUrrUMtigJ/NHL2nSH5lq7mehSmIiHRFolJNOSXcJo3tY98=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIPAI88AAEAAlRvT+gxNRnBMA0GCSqGSIb3DQEBBQUAMHwx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD
VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBU
cnVzdENlbnRlciBDbGFzcyAxIEwxIENBIElYMB4XDTEwMDEwMzE3MjY1N1oXDTEx
MDEwNDE3MjY1N1owKTELMAkGA1UEBhMCREUxGjAYBgNVBAMTEVJpY2hhcmQgR3Jh
ZXNzbGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvpRQxGosacca
OduBkNeyM+UIt2CXkXCjzgGL+EfePbS4gN47Za5Nel4bI35reEgnDwA0pjz4cPd5
O9cYJps/U3gRx0M59QxQwxlBE80QBiRKwcjBjvBDHsSN/kO+WG93eXRQJKkMWxEg
oa9DcmKuKfLxQmUUWBw9VdJgUWa1l3/zNJSe25RWKvGhazFoQQkfVFEgKx7ALfN1
MfD73dqbR2JgyNX7wb3mpGzFtEnEYgKpMtT+FQpVHdXis3apYK00uP93i1//DMEV
5Hl/2fq5ljzFNREl4TMWL7eWtalFqzD/t5CSUz/LuSw49mDRFtKZwja1twKisVqh
8FVtWUUAXQIDAQABo4ICETCCAg0wgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUF
BzAChkVodHRwOi8vd3d3LnRydXN0Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNl
cnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQwQAYIKwYBBQUHMAGGNGh0dHA6Ly9v
Y3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUwHwYD
VR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/BAIwADBKBgNV
HSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LnRy
dXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQW
BBR/1SIaoC0KVIc5XyefFatk7EQxNzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8v
Y3JsLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3Js
L3YyL3RjX0NsYXNzMV9MMV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIG
CCsGAQUFBwMEBggrBgEFBQcDBwYKKwYBBAGCNxQCAjAgBgNVHREEGTAXgRVyaWNo
YXJkQGdyYWVzc2xlci5uZXQwDQYJKoZIhvcNAQEFBQADggEBAIz11yiw0kXYbvFy
FotFd4KzHBddWTXDTEIUmw6btr7CxGMcmvzJPjmZlZ3gB19tHBsTUWhvyZftlGqf
OZuTyTDpHecKNonLidKPbEYG0BDfDV1nmsjWOKmmbWLj+jAjVxA065lJK9VJeC8T
M8r+hJswP6C2C9txGJf19YJlVAH0+Y6J3vr/9rXaAuiTtZD3kV3id2ASTCRuQU+Z
Y+rHlZ1JL9vkOWTEFpbT1L5GApn5VMgsPHGoYFuFnM/FTMCX46zDNA3NcS3oqbD7
r0DV/3gmaWC8rjGiX1lu5EX37AK48sebnttFs4yQRCeEbDufG0jSRLzqkO5V0osr
rx0InrM=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIPAJwVAAEAAhJlkkNDxj30MA0GCSqGSIb3DQEBBQUAMHwx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD
VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBU
cnVzdENlbnRlciBDbGFzcyAxIEwxIENBIElYMB4XDTEwMDEwMzE3MTAxMloXDTEx
MDEwNDE3MTAxMlowKTELMAkGA1UEBhMCREUxGjAYBgNVBAMTEVJpY2hhcmQgR3Jh
ZXNzbGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnl3dSzplTrFQ
zJt1fJBPI6BVoQnNRELvENbETIdzThRFb2jCZGMmdDrKgscoGHa+T+aXYk3fEryJ
sZNiEhoBDV5fji9zeW2D+YqnFAEtlLlSuUbsw3ojWv12pKap4z45QbsrzEAZ50Ka
S+Zxqu/32S3eWAyfx4zsRMYMOyczcSPFqdTLTh4PKy0+8qiTVbOb7H6txpE29CNH
esvgTX9YeXxHBK9ak5lwGnpJdCR3pg8sgIZ5c7ZkF8bmbPXEHRXhEEj/u4E8bxba
HCfY0gpcqJRjkY3J71uS+M/L/YcdNWj2zFlpxRwwOol4trFfHXqC1a9clR3Nv3bY
hj+RWI060wIDAQABo4ICETCCAg0wgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUF
BzAChkVodHRwOi8vd3d3LnRydXN0Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNl
cnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQwQAYIKwYBBQUHMAGGNGh0dHA6Ly9v
Y3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUwHwYD
VR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/BAIwADBKBgNV
HSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LnRy
dXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQW
BBTgh40vOo1JwqV45iT2jtZXwoRQzDBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8v
Y3JsLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3Js
L3YyL3RjX0NsYXNzMV9MMV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIG
CCsGAQUFBwMEBggrBgEFBQcDBwYKKwYBBAGCNxQCAjAgBgNVHREEGTAXgRVyaWNo
YXJkQGdyYWVzc2xlci50ZWwwDQYJKoZIhvcNAQEFBQADggEBAIL5x7nyEVgWrjow
urx9EmCRDJbv0J1m3BSeOi1yQ0gVVQKb4+3yUWk9RwOTDOedsqlsOffBpmy8adUL
sAK95dEdPIfWbGEtKbq66Dlj9cTUUDkJeStNl4A+T26sFDnGsbgppGiakjdUWjah
0NVYWNIQWuOqpcOQ8jGKaW7q4K0yyCtNw321Rasrk9VhJAz9MkKIiPBkXGuiOc1q
nRyNXr41FF9+zhDAWM035FNM8658a85/DaAPboLLt5AcF5aBOEcC0PdSlqw/OC+b
BHOvZNUid3xYj7u3bUtaoW/z87wfrX4hsXQHH0XP/hxY8CfLvvIOelof6vCA5qbt
k9snNSQ=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFQDCCBCigAwIBAgIPAPjCAAEAAkEWtgT5fjelMA0GCSqGSIb3DQEBBQUAMHwx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD
VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBU
cnVzdENlbnRlciBDbGFzcyAxIEwxIENBIElYMB4XDTEwMDEwMzE3MjAxNVoXDTEx
MDEwNDE3MjAxNVowKTELMAkGA1UEBhMCREUxGjAYBgNVBAMMEVJpY2hhcmQgR3LD
pMOfbGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkXnYYMnnOKH
//+koDFpFlzjarIe2dLaVWkNqTM3gAf9TWnPvNLrcW3keoe8ymYT/ficrBK5m0Ct
3exGcFUbc9ZeK+UduPp0BjJU+IDcyue45c2yOzsRKK0g4xm7wZ9TLkpPjqcMrVkp
YNH4Ur1Xg8fewf50eYoHWGJDEetE3Zv7X34Mm8bcPzdjAhOFUlUXQP1xFQ4b2iqF
g2m2W162mGslcTU7vg9nbJtCrCwazAHFJuQ12Zox+W90fuvlUCURgxQlGAJa526w
zktGOJSqdcGOjgsr+JtiLmeCoSu7L86AS1sDLJ+KjOE79UcxTvg3bcFnNuDJpunj
NRvo5Qdq6wIDAQABo4ICEDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUF
BzAChkVodHRwOi8vd3d3LnRydXN0Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNl
cnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQwQAYIKwYBBQUHMAGGNGh0dHA6Ly9v
Y3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUwHwYD
VR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/BAIwADBKBgNV
HSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LnRy
dXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQW
BBR8eCEhRIEM14s3MlTr3IoRrgH7BjBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8v
Y3JsLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3Js
L3YyL3RjX0NsYXNzMV9MMV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIG
CCsGAQUFBwMEBggrBgEFBQcDBwYKKwYBBAGCNxQCAjAfBgNVHREEGDAWgRRyaWNo
YXJkQGdyYWVzc2xlci5ldTANBgkqhkiG9w0BAQUFAAOCAQEAnQvgFXnLbfxgiqFu
xCPSpj1ccPD4g/iVAcs39I8sYBk5szi9ZgA31S6dsGGMi6hd11gZkljYbqla3jSm
gz8332y4OOV5/7qlrhNzD+NWXLtRkBO9jmVue56tfF34SMCwi3CuBpN2VO3Tl5bS
zfNbCLt3w9AYXnAQuxG2/Xuj3xCc8yMCB78h1vQRai9ljUQlYdDzE7E84R+SMWga
4Ol45qSzI1/Y6fXMUBZFQQHeJzaajf3FBAuhBDh/GIhrW8XQ7TIidNhI6AJ6zToK
/anDF11SnHILu9S21NZ75bfXWHhS2x6iflLoED6NgXr/qALwWZhTb5+YADxQnijH
zKWESw==
-----END CERTIFICATE-----
Attached file Trustcenter cert chain (obsolete) — 

    
    

    
  
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2pre) Gecko/20100122 Lanikai/3.1b1pre

I don't see anything wrong with these certs. REOPENING.

I loaded Richard's certs into my TB client and was able to encrypt an email to all 4 email addresses in his certs. 

Richard: do you know how to create a new TB profile?  I'm wondering if it's possible to recreate your problem on a clean profile.  If things work on the new profile, then there is something about your existing profile that is introducing the problem.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

    
    

    
  
I got all the 4 emails and they decrypted fine.

Bob: See my comment on 2010-01-22 01:58:47: That was a complete new installation of Thunderbird 3.0.1 en-us. I add 2 accounts richard@g...eu and richard@g...tel plus richard@g...net as second identity for the first one. Add the 3 TrustCenter Certs and the 3 StartSSL Certs. The result was: All 3 StartSSL certs are vissible under security but only 2 of TrustCenter (.eu and .net).

    
  

        Attachment #423250 -
        Attachment is obsolete: true

    
    

    
  
I confess I don't know much about identities in TB, but I do see some references like these that make me think this may be an older issue:
http://kb.mozillazine.org/Mozilla_Suite_:_FAQs_:_Mail_Aliases#S.2FMIME_and_Enigmail
https://addons.mozilla.org/en-US/thunderbird/addon/8814

Richard, are you using the same identities in each of your tests?  In other words, was your setup exactly the same for the TrustCenter and the StartSSL certs regarding identities? 

I'm trying to figure out exactly how I can reproduce this issue.

    
    

    
  
(In reply to comment #0)
> But under "Account Settings"->"Security" only the two first installed
> certificates from a CA are selectable for Digital Signing and Encryption.

This is "by design", actually. nsCertPicker is called with allowDuplicateNicknames set to false:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mail/extensions/smime/content/am-smime.js&mark=&mark=290,293#288

[hg.mozilla.org doesn't support line marking, so I'm linking to an older version from CVS - but the code is still the same.]

The certificates with the .net and .tel e-mail addresses have exactly the same subject DN, and consequently NSS uses the same nickname for them. The cert for the .eu address has a different CN (uses "äß" instead of "aess"), so it gets a different nickname.

Note that even if Tb would show more than one cert per nickname in that dialog (i.e., if allowDuplicateNicknames is changed to true), you will then most likely run into bug 278689.

    
    

    
  


  

    
    

    
  
Bob: yes I used the same. see attachment with screenshots.

Kasper: But the 3 StartSSL has all the same CN because until now I have not started the WoT process to get my name in!

    
    

    
  
(In reply to comment #20)
> But the 3 StartSSL has all the same CN because until now I have not
> started the WoT process to get my name in!

It's the complete subject DN which is relevant here, not simple the CN attribute. Startcom most likely puts the (deprecated) PKCS#9 emailAddress attribute into the subject DN, which makes all those 3 subject DNs differ from each other. Trustcenter only puts them into the subjectAltName extension (as recommended by RFC 3850, section 3).

(In reply to comment #18)
> you will then most likely run into bug 278689.

I should actually have written: this bug can be duped against 278689. It's the same issue, really.

    
  
Whiteboard: [psm-cert-manager]

    
    

    
  
Resolving as duplicate based on Comment 21.
Status: REOPENED → RESOLVED
Closed: 15 years ago9 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: