3/19 Is there a way to get Mozilla under Windows to use mystore to manage
certificates rather than its own internal cert manager? I have a
DER-encoded client cert that's usable by IE, but I'd like to see
it used by Mozilla (which requires PKCS#12 certs for its own store,
rather than DER or p7b.) -John
\_ It is possible to conver between DER and PKCS#12 (I believe that
\_ It is possible to convert between DER and PKCS#12 (I believe that
OpenSSL will do it if you know the correct incantation). email me
if you go this route and have trouble, it's been a while since I
did it last, but I should be able to figure it out again. -dans
\_I may do this when I get a chance--the problem is that PKCS#7
just contains certs, and #12 can contain certs along with
private keys. You can tag a private key in a PKCS#12 container
to be non-exportable, in which case, good luck under Windows.
There's no way to get Mozilla to use the (otherwise very nice)
MS CAPI directly? -John
\_ Right, the PKCS#12 format containing private keys sounds like
the rub I remember. If memory serves part of the problem was
that the keys *could* be encrypted using a password as a
symmetric key, but were not necessarily the case. I have no
experience with the MS CAPI so I can't speak to its
capabilities. I think when I did the conversion, I only
needed the public certificates and managed to get OpenSSL to
slam a (public) cert into PKCS#12 format with an empty or
garbage private key that was never used. I'm a little slammed
workwise at present, but if I find a spare moment later this
week I'll poke at OpenSSL and get back to you. -dans
\_ That's a very cool trick, I hadn't thought of that. I
will also have a go at it when I have a moment--don't
stress. Apparently something called 'safesign CSP' lets
Mozilla use CAPI but I haven't tried it yet. -John
\_ Cool, let me know how it works out. -dans |
http://csua.com/feed/