Loren wrote: > Thank you for your answer, but after I double checked the > certificates, I don't see any of the problems listed here,
OK, I'm glad you haven't run into those common issues. > please see > the following comments: > I only import 3 certs here, root CA, users CA, and an end user cert. > root CA is self-signed, and user CA is signed by root, they have > serial number 0 and 0x11, respectively, and user cert is signed by > user CA, so there is no serial number reuse. > as noted above, these 3 certs did have their own DN, specifically, one > is called Generic Root CA for CN, the other CA is Class 1 CA, and end > user is my first name, Loren. All sounds good. > However, I did notice some points, I imported these cert as pkcs12 file, Does that mean that you imported the private keys for the root and intermediate CAs into your browser's DBs? > and the certs/keys looks good when I browser them in > Edit->Preferences->Privacy & Security -> Manage Certificate, however, > when I use 'signtool -d "path to db" -L', it only lists the three > certs I imported, without all the other CA certs (Verisign, for > example) that are default in the db. That is a difference between DBs created by Communicator and Mozilla. Communicator cert DBs all have all the root CA certs in them. Mozilla stores the "built in" root CA certs in a separate DSO/DLL named nssckbi.dll or nssckbi.so, and so doesn't store them in the cert DB. When you're using a DB from mozilla, if your application needs any of the "built-in" root CA certs, it must load the nssckbi DLL/DSO. Sounds like signtool didn't load the nssckbi DLL or DSO. But that shouldn't matter in your case (as I understand it), because a) your certs don't chain to any of those other root CAs. and b) you're using your own root CA, and that _is_ one of the certs that appears in your list. > Then I try to fire 'signtool -d "path to db" -k "my cert" -Z > signed.jar signdir', it will fail with : > signtool: the cert "my cert" does not exist in the database: Problem > with database > the tree "signdir" was NOT SUCCESSFULLY SIGNED You said your cert shows up when you list certs using the -L option. Do they show up when you list certs using the -l option, which lists certs that are allowed to sign objects? > What I suspected is the certificate extensions could be the > problem, currently I add following to end user cert: > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Client, S/MIME, Object Signing > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment This all looks good, I think. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
