Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

pkcs11 certificate only accessible when open certmanager

  • 2 replies
  • 2 have this problem
  • 13 views
  • Paskiausią atsakymą parašė tbaehler

more options

I've added a pkcs11 library. And try to access a https site with client authentication.

If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails.

If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

I've added a pkcs11 library. And try to access a https site with client authentication. If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails. If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

All Replies (2)

more options

HI tbaehler, I am not sure if you are affected by this but there is an update to SHA-1 type of certificates in the recent update to 32.0.3 https://blog.mozilla.org/security/

However in regards to the smard card when you enter your pin and not being able to select a certificate I would recommend checking out https://developer.mozilla.org/en-US/d.../Module_Installation

Do you have the certificate in the Devices section of the cert manager?

more options

Thanks for your answer.

I don't think it is a configuration problem.

Again if i click on view certificates I see my certificate and can do a two way ssl authentication as desired. so everythink works.

But if i don't click on view certificate on firefox startup I am not able to select my certificyate. firefox just ask for the pin and then fails with (Error code: ssl_error_handshake_failure_alert) It's as if firefox does not update its internal certificate store. (or it just updates it when clicking on view certificate).


There is another bug too, but I was able to solve that. There is a problem in the nss library when trying to authenticate with tls1.2. with tls 1.2 firefox tells me that the key is invalid. by analysing that problem I found out, that nss sets keytype to nullkey. so I corrected that by just modifying lib/ssl3con.c (nss)

if (isTLS12) {
   //rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
   rv = ssl3_TLSSignatureAlgorithmForKeyType(rsaKey,
                          &sigAndHash.sigAlg);

so I set the type to rsaKey directy. With that change I can authenticat and everything works. exept that I have to click on view certificate after firefox starts up. Maybe there is another but in nss somewhere.