Can import multiple certificates with same subject?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Can import multiple certificates with same subject?

John Jiang
Hi,
I'm using NSS 3.35.

With my testing, it is not allowed to import multiple certificates with
same subject and different nicknames to a certificate database via pk12util.
I just want to confirm this point.

Best regards,
John Jiang
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Can import multiple certificates with same subject?

John Jiang
In order to describing my point clearly, please consider the below simple
example.

1. Two certificates with same subject (CN=www.example.com) and different
nicknames (respectively, example1 and example2). Both of them are in PKCS12
format.

2. Import the certificates to an existing database
$ pk12util -i example1.p12 -d sql:exampledb -W 'example1pass'
pk12util: PKCS12 IMPORT SUCCESSFU
$ pk12util -i example2.p12 -d sql:exampledb -W 'example2pass'
pk12util: PKCS12 IMPORT SUCCESSFU

3. List the certificates
$ certutil -d sql:exampledb -L
Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

example1
                                        u,u,u
example1
                                           u,u,u
Only nickname "example1" is listed.

4. Display certificate example1
$ certutil -d sql:exampledb -L -n example1
Here, in deed, certificate example2 is displayed.

It looks a bug.

Best regards,
John Jiang

2018-01-31 13:07 GMT+08:00 John Jiang <[hidden email]>:

> Hi,
> I'm using NSS 3.35.
>
> With my testing, it is not allowed to import multiple certificates with
> same subject and different nicknames to a certificate database via pk12util.
> I just want to confirm this point.
>
> Best regards,
> John Jiang
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Can import multiple certificates with same subject?

Hubert Kario
On Wednesday, 31 January 2018 06:43:19 CET John Jiang wrote:

> In order to describing my point clearly, please consider the below simple
> example.
>
> 1. Two certificates with same subject (CN=www.example.com) and different
> nicknames (respectively, example1 and example2). Both of them are in PKCS12
> format.
>
> 2. Import the certificates to an existing database
> $ pk12util -i example1.p12 -d sql:exampledb -W 'example1pass'
> pk12util: PKCS12 IMPORT SUCCESSFU
> $ pk12util -i example2.p12 -d sql:exampledb -W 'example2pass'
> pk12util: PKCS12 IMPORT SUCCESSFU
>
> 3. List the certificates
> $ certutil -d sql:exampledb -L
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> example1
>                                         u,u,u
> example1
>                                            u,u,u
> Only nickname "example1" is listed.
>
> 4. Display certificate example1
> $ certutil -d sql:exampledb -L -n example1
> Here, in deed, certificate example2 is displayed.
>
> It looks a bug.
This is expected and is an artefact of the way NSS stores certificates in the
database. Since a newer certificate will be used when requested by
application, it should not cause any problems.

> Best regards,
> John Jiang
>
> 2018-01-31 13:07 GMT+08:00 John Jiang <[hidden email]>:
> > Hi,
> > I'm using NSS 3.35.
> >
> > With my testing, it is not allowed to import multiple certificates with
> > same subject and different nicknames to a certificate database via
> > pk12util. I just want to confirm this point.
> >
> > Best regards,
> > John Jiang

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

signature.asc (849 bytes) Download Attachment