NSSDB issue with duplicate certificate subjects and nicknames

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

NSSDB issue with duplicate certificate subjects and nicknames

shruthi patil
We are using the NSSDB as a FIPS 140-2-compliant solution for managing certificates and their private keys in our product. In our implementation, we add certificates to the database using a command like this:  
 
certutil -A -n “cert-nickname" -I “cert.pem" -t "TP,,"  -d /nssdb  -f “pwd.txt”
 
Issue is NSSDB stores certificates that have the same subject name with the same nickname, even though the nicknames passed in the command for each certificate are different.
This will cause problem while reading the certificates, since there is no way to reliably retrieve one of the two certificates and as both have the same nickname.
 
I found the following report related to the same issue, was there any enhancement or fix done for this ? Please point us to right NSSDB version if this has been resolved.
 
https://bugzilla.mozilla.org/show_bug.cgi?id=413949
 
This restriction is causing many customer issues on our end, sooner response is appreciated.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: NSSDB issue with duplicate certificate subjects and nicknames

Franziskus Kiefer
I'm not sure I understand the issue properly.
Is the issue that if you have more than one certificates with the same
subject, you can't retrieve both?
If so, it's the way the NSS DB operates. It will thus always use the latest
version of the certificate in the DB, which should be the last one you
imported.

Cheers

On Wed, Feb 7, 2018 at 8:40 PM, shruthi patil <[hidden email]>
wrote:

> We are using the NSSDB as a FIPS 140-2-compliant solution for managing
> certificates and their private keys in our product. In our implementation,
> we add certificates to the database using a command like this:
>
> certutil -A -n “cert-nickname" -I “cert.pem" -t "TP,,"  -d /nssdb  -f
> “pwd.txt”
>
> Issue is NSSDB stores certificates that have the same subject name with
> the same nickname, even though the nicknames passed in the command for each
> certificate are different.
> This will cause problem while reading the certificates, since there is no
> way to reliably retrieve one of the two certificates and as both have the
> same nickname.
>
> I found the following report related to the same issue, was there any
> enhancement or fix done for this ? Please point us to right NSSDB version
> if this has been resolved.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=413949
>
> This restriction is causing many customer issues on our end, sooner
> response is appreciated.
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security