On aug. 22, 19:43, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote, On 2008-08-22 05:51:
>
> > Hi,
>
> > I have a Verisign Digital ID Class 3 - Microsoft Software Validation
> > v2 certificate, which I would like to use to sign my xpi.
>
> > I have followed the steps described on this page
> >http://oyoy.eu/huh/firefox-extension-code-signed-with-spc-pvk/
>
> > Briefly
> > 1., I use pvkimport to convert spc and pvk to pfx file
> > 2., I use pk12util to create a new database and import the cert
>
> > Verification
> > certutil - L -d . lists my one and only cert
>
> Does the line for your cert end in "u,u,u" ?
certutil -L -d .
2bee11b8-ca7d-4f71-b580-f72a581f84fa u,u,u
signtool -L -d .
using certificate directory: .
S Certificates
- ------------
* 2bee11b8-ca7d-4f71-b580-f72a581f84fa
Builtin Object Token:Verisign/RSA Secure Server CA
Builtin Object Token:GTE CyberTrust Root CA
Builtin Object Token:GTE CyberTrust Global Root
Builtin Object Token:Thawte Personal Basic CA
Builtin Object Token:Thawte Personal Premium CA
Builtin Object Token:Thawte Personal Freemail CA
Builtin Object Token:Thawte Server CA
Builtin Object Token:Thawte Premium Server CA
Builtin Object Token:Equifax Secure CA
Builtin Object Token:ABAecom (sub., Am. Bankers Assn.) Root CA
Builtin Object Token:Digital Signature Trust Co. Global CA 1
Builtin Object Token:Digital Signature Trust Co. Global CA 3
Builtin Object Token:Digital Signature Trust Co. Global CA 2
Builtin Object Token:Digital Signature Trust Co. Global CA 4
Builtin Object Token:Verisign Class 1 Public Primary Certification
Authority
Builtin Object Token:Verisign Class 2 Public Primary Certification
Authority
Builtin Object Token:Verisign Class 3 Public Primary Certification
Authority
Builtin Object Token:Verisign Class 1 Public Primary Certification
Authority -
G2
Builtin Object Token:Verisign Class 2 Public Primary Certification
Authority -
G2
Builtin Object Token:Verisign Class 3 Public Primary Certification
Authority -
G2
Builtin Object Token:Verisign Class 4 Public Primary Certification
Authority -
G2
Builtin Object Token:GlobalSign Root CA
Builtin Object Token:ValiCert Class 1 VA
Builtin Object Token:ValiCert Class 2 VA
Builtin Object Token:RSA Root Certificate 1
Builtin Object Token:Verisign Class 1 Public Primary Certification
Authority -
G3
Builtin Object Token:Verisign Class 2 Public Primary Certification
Authority -
G3
Builtin Object Token:Verisign Class 3 Public Primary Certification
Authority -
G3
Builtin Object Token:Verisign Class 4 Public Primary Certification
Authority -
G3
Builtin Object Token:Entrust.net Secure Server CA
Builtin Object Token:Entrust.net Secure Personal CA
Builtin Object Token:Entrust.net Premium 2048 Secure Server CA
Builtin Object Token:Baltimore CyberTrust Root
Builtin Object Token:Equifax Secure Global eBusiness CA
Builtin Object Token:Equifax Secure eBusiness CA 1
Builtin Object Token:Equifax Secure eBusiness CA 2
Builtin Object Token:Visa International Global Root 2
Builtin Object Token:beTRUSTed Root CA
Builtin Object Token:AddTrust Low-Value Services Root
Builtin Object Token:AddTrust External Root
Builtin Object Token:AddTrust Public Services Root
Builtin Object Token:AddTrust Qualified Certificates Root
Builtin Object Token:Verisign Class 1 Public Primary OCSP Responder
Builtin Object Token:Verisign Class 2 Public Primary OCSP Responder
Builtin Object Token:Verisign Class 3 Public Primary OCSP Responder
Builtin Object Token:Verisign Secure Server OCSP Responder
Builtin Object Token:Verisign Time Stamping Authority CA
Builtin Object Token:Thawte Time Stamping CA
Builtin Object Token:Entrust.net Global Secure Server CA
Builtin Object Token:Entrust.net Global Secure Personal CA
Builtin Object Token:AOL Time Warner Root Certification Authority 1
Builtin Object Token:AOL Time Warner Root Certification Authority 2
Builtin Object Token:beTRUSTed Root CA-Baltimore Implementation
Builtin Object Token:beTRUSTed Root CA - Entrust Implementation
Builtin Object Token:beTRUSTed Root CA - RSA Implementation
Builtin Object Token:RSA Security 2048 v3
Builtin Object Token:RSA Security 1024 v3
Builtin Object Token:GeoTrust Global CA
Builtin Object Token:GeoTrust Global CA 2
Builtin Object Token:GeoTrust Universal CA
Builtin Object Token:GeoTrust Universal CA 2
Builtin Object Token:UTN-USER First-Network Applications
Builtin Object Token:America Online Root Certification Authority 1
Builtin Object Token:America Online Root Certification Authority 2
Builtin Object Token:Visa eCommerce Root
Builtin Object Token:TC TrustCenter, Germany, Class 2 CA
Builtin Object Token:TC TrustCenter, Germany, Class 3 CA
Builtin Object Token:Certum Root CA
Builtin Object Token:Comodo AAA Services root
Builtin Object Token:Comodo Secure Services root
Builtin Object Token:Comodo Trusted Services root
Builtin Object Token:IPS Chained CAs root
Builtin Object Token:IPS CLASE1 root
Builtin Object Token:IPS CLASE3 root
Builtin Object Token:IPS CLASEA1 root
Builtin Object Token:IPS CLASEA3 root
Builtin Object Token:IPS Servidores root
Builtin Object Token:IPS Timestamping root
Builtin Object Token:QuoVadis Root CA
Builtin Object Token:Security Communication Root CA
Builtin Object Token:Sonera Class 1 Root CA
Builtin Object Token:Sonera Class 2 Root CA
Builtin Object Token:Staat der Nederlanden Root CA
Builtin Object Token:TDC Internet Root CA
Builtin Object Token:TDC OCES Root CA
Builtin Object Token:UTN DATACorp SGC Root CA
Builtin Object Token:UTN USERFirst Email Root CA
Builtin Object Token:UTN USERFirst Hardware Root CA
Builtin Object Token:UTN USERFirst Object Root CA
Builtin Object Token:Camerfirma Chambers of Commerce Root
Builtin Object Token:Camerfirma Global Chambersign Root
Builtin Object Token:NetLock Qualified (Class QA) Root
Builtin Object Token:NetLock Notary (Class A) Root
Builtin Object Token:NetLock Business (Class B) Root
Builtin Object Token:NetLock Express (Class C) Root
Builtin Object Token:XRamp Global CA Root
Builtin Object Token:Go Daddy Class 2 CA
Builtin Object Token:Starfield Class 2 CA
Builtin Object Token:StartCom Ltd.
Builtin Object Token:Taiwan GRCA
Builtin Object Token:Firmaprofesional Root CA
Builtin Object Token:Wells Fargo Root CA
Builtin Object Token:Swisscom Root CA 1
- ------------
Certificates that can be used to sign objects have *'s to their left.
> > signtool -L -d . lists all of the certs, but only mine has a * before
> > the name
>
> What version of NSS are you using?
nss 3.11.4
nspr 4.6.4
> If you run the signtool program without any command line options, it outputs
> a page of "usage" information. The first non-blank line of that
> output looks like this:
>
> Signing Tool <VERSION> - a signing tool for jar files
Signing Tool 3.11.4 Basic ECC - a signing tool for jar files
> where <VERSION> is a "string" of characters (letters, numbers, periods,
> and words) that say what version of signtool you're using. Please tell
> us that info.
>
> > When I try to use it with signtool, I get this
> > ...
> > Generating zigbert.sf file..
> > warning - can't find private key for this cert
> > signtool: PROBLEM signing data (Unknown issuer)
>
> There are two separate issues there. They are:
> a) signtool thinks it cannot find the private key with which to sign the
> jar, and
> b) signtool reports that it cannot verify the signature on your cert,
> because it cannot find the cert for the issuer of your cert. That means
> that the signature it generates (if it can find the private key) will not
> be verifiable by clients (browsers) because the certificate chain will be
> incomplete.
>
> You need to get the certificate for the issuer of your code signing cert,
> and that needs to go into your cert DB too. If that cert had been present
> in Microsoft's cert store when you created the pfx file, it would have been
> put into the pfx file. So, I gather that you don't have that cert in either
> your NSS cert DB, nor in Microsoft's cert store.
>
You tell me if something is missing, see a bove the list
I have in the ms cert store this as well
Issued To
VeriSign Class 3 Code Signing 2004 CA
Certification path
VeriSign Class 3 Public Primary CA
VeriSign Class 3 Code Signing 2004 CA
If this is what I need, should I export it as pfx and import it into
the nss db?
> I suggest you do these things:
> 1) download the Verisign CA cert for the CA that issued your code signing
> cert, and get it into your Windows cert store. Verisign should have a web
> page of instructions on how to do that somewhere.
Not sure whether I know what it is, where to look for it and what is
the extension of this, and how to put it into the nss db?
Thanks
> 2) using Windows cert manager, edit your code signing cert and give it a
> "friendly name". I suggest using this friendly name:
> "Giorgio's Verisign code signing cert"
>
> Then create your pfx file again.
> Then list the pfx file with pk12util -l, as you did before (thanks).
> You should then see that there are two certs it in, and that your cert
> now has that "nickname" (friendly name), instead of its present "friendly
> name", which IINM is "2bee11b8-ca7d-4f71-b580-f72a581f84fa". (Not very
> friendly, is it?)
> Then create a new cert and key DB pair, and use pk12util to import your
> new pfx into it, and then try all this again.
>
> That should cure the "unknown issuer" problem. It may or may not have
> any effect on the "can't find private key" problem. But let's try that
> first.
Thanks, Nelson
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
