Firefox seems doesn't recognize my personal certificates which used for site authentication. Extended key usage - TLS Web Client Authentication (220.127.116.11.18.104.22.168.2) have this attribute. And this certificate property detected in IE8 and can be used. This certificate stored in Aladdin eToken.
This apply to both Firefox and Thunderbird, thus moving to NSS.
The only certificates shown in the "personal" tab are those for which FF and/or TB have access to the corresponding private key. I'll bet you've never put the private key into FF's key DB. Right?
> I'll bet you've > never put the private key into FF's key DB. Right? How I'm gonna do that? And isn't that defeat purpose having private key stored on hardware token?
I overlooked your mention of the Aladdin eToken. Sorry. Is FF configured to know about the PKCS#11 software module for your Aladdin eToken ? See https://developer.mozilla.org/en/PKCS11_Module_Installation#Using_the_Firefox_Preferences_Dialog_to_Install_PKCS11_Modules
Created attachment 433588 [details] device manager screenshot Yeah I've installed need drivers. Have look into screenshot. I have Thawte personal certificate which is working just fine for example, and show up in "Personal" tab for exmaple. But these from other site doesn't show up in Personal as I said earlier only in other tab, any thoughts on that?
FF will only show a cert in the tab of "your personal" certificates if/when it can find the corresponding private key in some PKCS#11 module. Possible reasons FF may not be able to find that key, even if it is in an available token, can include: - you may not be logged in to the token, and the key in question may be configured to be invisible unless you are logged in - that is, it may be configured such that the token will not reveal its presence when you are not logged in to the token - Then key and the certificate each have an identifying number, the CKA_ID by which the application (FF) can reference them. The key and the cert should have the SAME CKA_ID number, to make it obvious that they correspond. FF creates its keys and certs that way, as do most apps. But it's possible that whatever app created these objects on the token did not give them the same CKA_IDs, in which case FF may not be able to determine that the key corresponds to the cert. If the objects on the token have been installed in a way that doesn't enable FF to tell that they correspond, there isn't much FF can do. I suggest you try forcefully logging into your token, using that same device manager panel, and then bring up the cert manager panel (don't have the panel already up somewhere, open it after logging in) and see if the cert is shown in the personal certs tab. If that doesn't work, then the next step would be to run a program that enumerates all the certs and keys and shows their CKA_IDs, to see if the token shows that it has a key corresponding to the cert.
(In reply to comment #6) > I suggest you try forcefully logging into your token, using that same device > manager panel, and then bring up the cert manager panel (don't have the > panel already up somewhere, open it after logging in) and see if the cert is > shown in the personal certs tab. > > If that doesn't work, then the next step would be to run a program that > enumerates all the certs and keys and shows their CKA_IDs, to see if the > token shows that it has a key corresponding to the cert. You mean Tools->Options->Advanced->Encryption->View Certificates? - After pressing this button it will ask my password but I could cancel and still show for example my Thawte in "personal" tab. But I will try that for not working certificate (its on different token right now). How can I enumerate certs and keys to show their CKA_IDs?
> You mean Tools->Options->Advanced->Encryption->View Certificates? I think you're asking if that's what I meant by "forcefully logging into your token, using that same device manager panel". No, I'm referring to the same panel you showed in the screen shot you attached. In that screen shot, you will notice buttons labeled "log in" and "log out". If you select the slot with your eToken on the left, then those buttons will be enabled (they will not be gray). You can click "log in" to log in. Remember, each cert may have a separate configuration in the token. One cert may be configured to show up at all times, even when the token is not logged in. Another cert (or key) may be configured to only appear when logged in.
Nelson, usually I've always logged in already, because Firefox keep spamming me about my token password usually on every page I open. But I'll double check, but I really doubt this is case.
Your token may be one of those that logs out out immediately after each time you use it, to force you to log in again before the next time you use it, or it may have a login timeout time that is extremely short.
Sorry, I've been not clear enough. What I mean is FF keep asking me password on every page but I'm keep pressing cancel, but after I enter password it stop popuping password dialog promt for all pages and stay logged in.
Created attachment 433890 [details] Screenshot-Certificate Manager As you can see even though I'm logged in, it still shows in other tab
Created attachment 433981 [details] certificate viewer Maybe my problem because of Cyrillic name of certificate? Notice title border have wrong encoding.
No, the problem with the name in the title bar is a known issue with the UI code, but not relevant to NSS's ability to match cert and key in the module.
So, what my next step will be, enumerate certs and keys to show their CKA_IDs?
Yes, I'm looking for the right tool to do that now.
Nelson, I tried to generate private/public key in file and import to FF it works loads perfectly fine. Looks like issue only when private key stored on hardware token, still don't understand why IE8 works :(
Looks like I've found root of my problem. a program which writes generate private key on token is outdated and written for old version of driver, so to make it work I had to use new version of program(with new driver) and certificate appears on "Personal" tab. I'll double check and if this is true, close this bug as invalid.
Aladdin etoken 3.65 drivers works with old version of program and newer drivers require new version program to correctly create private key so FF recognize it.
Nikokay, Thank you for telling us the solution you found to your problem. Perhaps it will help other users also.