Eric Murphy wrote: > (I sent e-mailed this to Wan-Teh Chang last night, but I will also post > here since this is rather urgent. Thanks.) > > I am trying to create a Netscape Object CA. I am having problems with > getting signtool to approve certificates I create. Here I will try to > outline my process: > > Step 1 - Create blank database: > certutil -N -d . and set a password as "mozdev.org" > > Step 2 - Create a root certificate: > certutil -S -s "CN=mozdev.org" -n "root" -t ",,C" -x -d . -1 -2 - > > Step 3 - Create a signing certificate with a lifespan of 96 months: > certutil -S -n "mozdev.org" -s "CN=mozdev.org" -c "root" -v 96 > -t ",,C" -d . -1 -2 - > > *** Now, at this point, when I do a certutil -L -d . , I get two > certificates names "root"! One should be "root", and the other should be > "mozdev.org", from my understanding.
Both certs have the same Subject. All certs with the same subject are considered the same personality. You need to make the -s values for the certs unique. As it is mozdev.org is indistinguishable from a self-signed cert except the signature will fail to verify. bob >
