Adriano Bonat wrote:
> adri...@planck:~/Tmp/empty_db$ nss-signtool -d . -l
>
> Object signing certificates
> ---------------------------------------
> COMPANY LLC's Starfield Technologies, Inc. ID
> Issued by: Starfield intermediate
> Expires: Mon Sep 19, 2011
> ---------------------------------------
This looks good, actually - the trust settings in this (newly created)
cert DB meet signtool's expectations.
> adri...@planck:~/Tmp/empty_db$ nss-certutil -V -n "COMPANY LLC's
> Starfield Technologies, Inc. ID" -u O -d .
> nss-certutil: certificate is invalid: Certificate type not approved
> for application.
You should use "-u J" when verifying an object signing cert ("O" is for
OCSP status responder), so this error message is just a red herring.
> Am I doing something wrong?
I don't think so, but it's quite possible that you're running into the
issue reported in
https://bugzilla.mozilla.org/show_bug.cgi?id=321156
because the intermediate CA cert (available from
http://certificates.starfieldtech.com/repository/sf_intermediate.crt)
does not have an EKU nor a netscape-cert-type extension.
When you list the certificates in your Firefox DB with certutil (make
sure you're shutting down Firefox first), I assume that the line with
"Starfield Secure Certification Authority" does not show ",,c", is that
correct?
Kaspar
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
