giorgio <[EMAIL PROTECTED]> wrote on 2008-08-22 06:01 PDT: > When you create a test certificate with signtool it is valid only for > 3 months.
It's valid for YOUR testing (only) for some time. It's not valid at any time for generating signatures that will be verifiable by other users, because it is not issued by a known CA. > I would like to know whether it is possible to convert a microsoft > test certificate and use it with Firefox for object signing. > > This is what I try to do: > 1., I have a test.pfx created with microsoft signtool valid for 40 > years > 2., I use the pk12util to import it > > using signtool -L -d. my cert has no asterisk before the name, I guess > that is the problem. > > When using with signtool, I get this (obviously) > > Generating zigbert.sf file.. > signtool: PROBLEM signing data (Certificate not approved for this > operation) > > Since it is a test certificate is not there a way to change it to be > suitable for object signing as well? There may be a way to force NSS to generate a signature anyway, but the resultant signature would not be of value to others. Let's say that you've listed your cert DB with certutil and found your cert there to be named XXXXXXXX. Then the command certutil -d DB -M -t "u,u,Pu" -n "XXXXXXXX" (where DB is the name of the directory with your cert DB) will set an override flag that MAY enable you to generate a signature anyway, but the resultant signature will be of no value to anyone who doesn't have your cert in their cert DB marked in that special way. > Using microsoft certificate store, there is a way to add any kind of > object identification, Yes, Microsoft Windows' API for getting the values of cert extensions actually looking in the cert store to see if the cert store contains any additional certificate extensions that were stored with the cert. If so, it will return those extensions, just as if it had found them in the cert itself. This serves the same purpose as NSS's "trust flags", and is considerably more flexible. :-/ (I believe one could add a name constraints extension to a root CA that way, for example.) > anyone knows the code (OID) for this purpose (object signing)? But NSS doesn't use Microsoft's cert stores and doesn't use Microsoft's API for getting extensions from certs in the cert stores. So, even if you do put the object signing OID into the Extended Key Usage extension for that cert in Windows' cert store, it won't have any effect on NSS. > Is there another way to create (with nss tools) a test certificate > which is valid mush more time than 3 months? Yes, but only valid for YOUR own testing, not valid for others to verify your signature. Is that really of help to you? Given that a test cert is limited to being for your own personal testing purposes, is 3 months not enough? I was going to tell you to get a real code signing cert, but in another message that you posted today, you seem to say that you already have one. So that shouldn't be an issue for you. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
