We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

pkcs11 certificate only accessible when open certmanager

  • 2 replies
  • 2 have this problem
  • 13 views
  • Last reply by tbaehler

more options

I've added a pkcs11 library. And try to access a https site with client authentication.

If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails.

If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

I've added a pkcs11 library. And try to access a https site with client authentication. If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails. If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

All Replies (2)

more options

HI tbaehler, I am not sure if you are affected by this but there is an update to SHA-1 type of certificates in the recent update to 32.0.3 https://blog.mozilla.org/security/

However in regards to the smard card when you enter your pin and not being able to select a certificate I would recommend checking out https://developer.mozilla.org/en-US/d.../Module_Installation

Do you have the certificate in the Devices section of the cert manager?

more options

Thanks for your answer.

I don't think it is a configuration problem.

Again if i click on view certificates I see my certificate and can do a two way ssl authentication as desired. so everythink works.

But if i don't click on view certificate on firefox startup I am not able to select my certificyate. firefox just ask for the pin and then fails with (Error code: ssl_error_handshake_failure_alert) It's as if firefox does not update its internal certificate store. (or it just updates it when clicking on view certificate).


There is another bug too, but I was able to solve that. There is a problem in the nss library when trying to authenticate with tls1.2. with tls 1.2 firefox tells me that the key is invalid. by analysing that problem I found out, that nss sets keytype to nullkey. so I corrected that by just modifying lib/ssl3con.c (nss)

if (isTLS12) {
   //rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
   rv = ssl3_TLSSignatureAlgorithmForKeyType(rsaKey,
                          &sigAndHash.sigAlg);

so I set the type to rsaKey directy. With that change I can authenticat and everything works. exept that I have to click on view certificate after firefox starts up. Maybe there is another but in nss somewhere.