"Nelson B. Bolyard" <[EMAIL PROTECTED]> wrote in message
news:<[EMAIL PROTECTED]>...
> You said your cert shows up when you list certs using the -L option.
> Do they show up when you list certs using the -l option, which lists certs
> that are allowed to sign objects?
OK, we are getting somewhere :)
when using -l option, I found that the signtool will choke on some
of my cert extension, since it complains on finding the issuer of my
object signing cert. I then use certutil to parse the cert and found
that the victim's authority key identifier extension contains some
funny characters in it, seems that the extension is not well
recognized by certutil (and presumably signtool).
Then I reissue the whole chain and put only basicConstraints
(non-critical) in CA certs, while the user cert got basicConstraints
and nsCertType. From the PSM Manage Certificates dialog, eveything
looks good, from certutil, it can read all the certs and extensions.
but using signtool -l, it spits out the obj signing cert with :
=================================================================
using certificate directory: .
Object signing certificates
---------------------------------------
Loren test obj sign cert 2
Issued by: Object Signing User Certification Authority 1 - ABC
Company (Object Signing User Certification Authority 1)
Expires: Sat Oct 11, 2003
++ Error ++ THIS CERTIFICATE IS NOT VALID (bad signature)
---------------------------------------
For a list including CA's, use "signtool -L"
=================================================================
I suspect it is the signtool can't recognize the extension encoding
of Mozilla's db, but it understands Communicator's.
Regards,
Loren
