pkcs11 certificate only accessible when open certmanager
I've added a pkcs11 library. And try to access a https site with client authentication.
If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails.
If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.
Alle antwoorden (2)
HI tbaehler, I am not sure if you are affected by this but there is an update to SHA-1 type of certificates in the recent update to 32.0.3 https://blog.mozilla.org/security/
However in regards to the smard card when you enter your pin and not being able to select a certificate I would recommend checking out https://developer.mozilla.org/en-US/d.../Module_Installation
Do you have the certificate in the Devices section of the cert manager?
Thanks for your answer.
I don't think it is a configuration problem.
Again if i click on view certificates I see my certificate and can do a two way ssl authentication as desired. so everythink works.
But if i don't click on view certificate on firefox startup I am not able to select my certificyate. firefox just ask for the pin and then fails with (Error code: ssl_error_handshake_failure_alert) It's as if firefox does not update its internal certificate store. (or it just updates it when clicking on view certificate).
There is another bug too, but I was able to solve that. There is a problem in the nss library when trying to authenticate with tls1.2. with tls 1.2 firefox tells me that the key is invalid. by analysing that problem I found out, that nss sets keytype to nullkey. so I corrected that by just modifying lib/ssl3con.c (nss)
if (isTLS12) { //rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, rv = ssl3_TLSSignatureAlgorithmForKeyType(rsaKey, &sigAndHash.sigAlg);
so I set the type to rsaKey directy. With that change I can authenticat and everything works. exept that I have to click on view certificate after firefox starts up. Maybe there is another but in nss somewhere.