Andy,
I' ve been able to import my certificate into Netscape from OpenLDAP, so it seems I' ve worked it out correctly. Before saying "real success!", I have to point out that apparently the reason why I was not able to import my certificate into Netscape is that in the dn (distinguished name) part of the certificate there was not any e-mail attribute specified. The wrong certificate was issued as belonging to a "subject's" dn like this: "cn=tizi, ou=Pescheria, o=Consip SpA, c=IT" I' ve issued a new certificate. The certificate now belongs to the following subject: "e=ezio@hotmail.com, cn=tizi, ou=Pescheria, o=Consip SpA, c=IT" and that worked fine! So, it seems that Netscape acts like this when he has to import certificates from Directory: 1) Search Directory for entries with "mail" attribute matching subject 2) Get certificate from directory (if any) 3) Really import certificate if and only if there is a matching e-mail attribute in the subject's certificate Now, I do not know if this works fine for your environment too. I' ve generated certificates with a tool (OSCAR CA). I believe that if I use certificates generated from Verisign or similar I' ll never see the problem we' re discussing, because those certificates ( I mean "official " ones, from Verisign etc ..) do always have an e-mail address into the subject dn. So, I' d be glad to hear your opinion on this matter, to decide whether what I' ve found out is "the solution" or just a another little piece in the puzzle. Thanks for your attention. P.S. Norbert, I' ve been able to get your certificate into Netscape from my OpenLDAP. Your certificate contains e-mail in subject's dn as well. |