Hey, thanks for you feedback. On Sep 25, 3:07 pm, Kaspar Brand <[email protected]> wrote: > Adriano Bonat wrote: > > adri...@planck:~/Tmp/empty_db$ nss-signtool -d . -l > > > Object signing certificates > > --------------------------------------- > > COMPANY LLC's Starfield Technologies, Inc. ID > > Issued by: Starfield intermediate > > Expires: Mon Sep 19, 2011 > > --------------------------------------- > > This looks good, actually - the trust settings in this (newly created) > cert DB meet signtool's expectations. > > > adri...@planck:~/Tmp/empty_db$ nss-certutil -V -n "COMPANY LLC's > > Starfield Technologies, Inc. ID" -u O -d . > > nss-certutil: certificate is invalid: Certificate type not approved > > for application. > > You should use "-u J" when verifying an object signing cert ("O" is for > OCSP status responder), so this error message is just a red herring.
uh... my mistake, thanks for pointing it :) > > Am I doing something wrong? > > I don't think so, but it's quite possible that you're running into the > issue reported in > > https://bugzilla.mozilla.org/show_bug.cgi?id=321156 > > because the intermediate CA cert (available > fromhttp://certificates.starfieldtech.com/repository/sf_intermediate.crt) > does not have an EKU nor a netscape-cert-type extension. I understand, do you think that GoDaddy can do something about that? In case no, if I want to sign my extension I will have to buy a code signing certificate from another company like Verisign and Thawte, any cheaper one that simply works? > When you list the certificates in your Firefox DB with certutil (make > sure you're shutting down Firefox first), I assume that the line with > "Starfield Secure Certification Authority" does not show ",,c", is that > correct? Yes, that's correct. I did set the value ",,c" using certutil. Thanks again. -Adriano Bonat -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
