Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Претражи подршку

Избегните преваре подршке. Никада од вас нећемо тражити да зовете или шаљете поруке на број или да делите личне податке. Пријавите сумњиве радње преко „Пријавите злоупотребу” опције.

Сазнај више

How can I select a client certificate from a smartcard?

  • 1 одговор
  • 1 има овај проблем
  • 1 преглед
  • Последњи одговор послао andreiconnectis

more options

Hi,

I have a spr532 card reader with a test smartcard with Firefox 50.1.0 on Ubuntu 16.04 up to date. I want to use the client certificate from the device to log in on a website that I am developing.

I also have a test certificate that I generated and it is not on the card. I can log in with the test certificate that I have but not with the one on the card. The problem is that in the "User identification request" page I cannot see the certificate from the smartcard. I can see my generated certificate but not the one on the smartcard. Firefox asks me for the pins for the smartcard (I have two certs on the card and they both have PINs). Firefox sees my certs from the smartcard in about:preferences#advanced > View Certificates > Your Certificates column. I have both the certs on the smartcard and the one I generated in that table. But when I try to log in, Firefox only shows me my generated cert and not the one from the smartcard.

What can I do? How can I debug this? This is a dev environment. I can change any configs on the server so I can decrypt the TLS session and see what is going on between my server and the browser.

PS: I tried to send this message with 2 other email accounts but I do not get the confirmation email.

Thank you!

Hi, I have a spr532 card reader with a test smartcard with Firefox 50.1.0 on Ubuntu 16.04 up to date. I want to use the client certificate from the device to log in on a website that I am developing. I also have a test certificate that I generated and it is not on the card. I can log in with the test certificate that I have but not with the one on the card. The problem is that in the "User identification request" page I cannot see the certificate from the smartcard. I can see my generated certificate but not the one on the smartcard. Firefox asks me for the pins for the smartcard (I have two certs on the card and they both have PINs). Firefox sees my certs from the smartcard in about:preferences#advanced > View Certificates > Your Certificates column. I have both the certs on the smartcard and the one I generated in that table. But when I try to log in, Firefox only shows me my generated cert and not the one from the smartcard. What can I do? How can I debug this? This is a dev environment. I can change any configs on the server so I can decrypt the TLS session and see what is going on between my server and the browser. PS: I tried to send this message with 2 other email accounts but I do not get the confirmation email. Thank you!

Изабрано решење

HA! I found the fix myself :D

Firefox does not list the client CA in the dropdown because it does not trust it! I imported some other root CAs in my Firefox with the same CN but with different details. After I imported as a trusted CA the CA that signed the client certificate it worked!

If you go to about:preferences#advanced > Your Certificates > select smart card certificate & view. If you see that the certificate is not trusted then you need to import the CA that signed it. Very important: check "Trust this CA to Identify Email Users.". If you did not check this then you need to remove the CA and add it again.

Прочитајте овај одговор са објашњењем 👍 1

Сви одговори (1)

more options

Одабрано решење

HA! I found the fix myself :D

Firefox does not list the client CA in the dropdown because it does not trust it! I imported some other root CAs in my Firefox with the same CN but with different details. After I imported as a trusted CA the CA that signed the client certificate it worked!

If you go to about:preferences#advanced > Your Certificates > select smart card certificate & view. If you see that the certificate is not trusted then you need to import the CA that signed it. Very important: check "Trust this CA to Identify Email Users.". If you did not check this then you need to remove the CA and add it again.