Comment 10 for bug 1964141

When I hit the bug, I didn’t change my config until I’d found the problem and fixed it. Didn’t want symptoms to vanish on me.

I was developing redwax-tool at the time, which was returning discovered pkcs11 URLs with empty labels (quirk of p11kit, but still valid). The correct PKCS11 URL was passed to httpd, which then picked up the other cert (with different key and different id, but same empty label because bug), resulting in error “key does not match certificate”.

Reproducing could be hard as your system may accidentally choose the correct cert, masking the problem.

Possible approach could be to add many keys, each key having one cert. all certs should have different id corresponding to each unique key, but give them no label (no label and blank label are the same in PKCS11, as the label is a space padded constant width string).

Then try refer to each cert in turn, specifying id and same label. In theory as soon as wrong cert is matched with the given key, you’ll get the system telling you cert and key don’t belong together.