*Requirement :* The local certificate being generated should be added as a
Peer certificate in Firefox
*Current Approach :* 1. Fetched nss-3.75 and built the binaries for both
MAC and Windows.
2. Used the generated certutil.exe application to add the local certificate
to firefox db.
3. The command used was:
certutil -A -d
sql:"%localappdata%\Roaming\Mozilla\Firefox\Profiles\ob08n7zb.default-release"
-i <Local Certificate Path/Name> -n 127.0.0.1 -t "P,,"
*Expectation:* The certificate should have been added as a peer certificate
in Firefox.
*Current Behavior*: The command is not returning any errors, but
certificate is not reflected as a peer.
When we run command to List the added certificate, the attributes returned
are:
Signed Extensions:
Name: Certificate Authority Key Identifier
Issuer:
Directory Name: "CN=127.0.0.1,O=A2ML41623"
Serial Number:
16:d2:0e:c8:3e:c1:d9:c7:1c:ae:a5:c7:b6:b8:85:5c:
4d:56:ba:db
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Key Usage
Usages: Digital Signature
Name: Extended Key Usage
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Subject Alt Name
IP Address: 127.0.0.1
Name: Certificate Comment
Comment: "OpenSSL Generated Certificate"
However, the certificate does not seem to be added in firefox, as the web
socket connection does not happen.
On running the Validate command for the certificate added and adding the
usage as V(As an SSL Server), we get the output:
certutil: certificate is invalid: Certificate key usage inadequate for
attempted operation.
On running the Validate command for the certificate added and adding the
usage as C(As an SSL Client), we get the output:
certutil: certificate is valid
Note: When we run the command:
certutil -A -d
sql:"%localappdata%\Roaming\Mozilla\Firefox\Profiles\ob08n7zb.default-release"
-i <Local Certificate Path/Name> -n 127.0.0.1 -t "PCu,,"
The certificate gets added to the firefox db as a Certificate Authority and
the WebSocket connection is established as expected.
Adding the certificate as a CA raises security concerns, hence we need to
add it as a Peer certificate. Request you to kindly help us with how we can
add the certificate as Peer in the firefox DB.
--
You received this message because you are subscribed to the Google Groups
"dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/e0818e82-5a17-4fdf-8f19-abd277ad14a7n%40mozilla.org.
