Loren wrote: > Then I reissue the whole chain and put only basicConstraints > (non-critical) in CA certs, while the user cert got basicConstraints > and nsCertType. From the PSM Manage Certificates dialog, eveything > looks good, from certutil, it can read all the certs and extensions. > but using signtool -l, it spits out the obj signing cert with : > ================================================================= > using certificate directory: . > > Object signing certificates > --------------------------------------- > Loren test obj sign cert 2 > Issued by: Object Signing User Certification Authority 1 - ABC > Company (Object Signing User Certification Authority 1) > Expires: Sat Oct 11, 2003 > ++ Error ++ THIS CERTIFICATE IS NOT VALID (bad signature) > --------------------------------------- > For a list including CA's, use "signtool -L" > ================================================================= > > I suspect it is the signtool can't recognize the extension encoding > of Mozilla's db, but it understands Communicator's.
Extensions aren't likely the problem, IMO. You wrote that you reissused the whole chain. Did you perhaps reuse the same serial numbers as in the original chain, creating new certs with the same issuer name and serial numbers as previously issued certs? If so, that could explain your signature failure. It's difficult to diagnose issues with cert chains without having complete copies of the relevants certs. Sometimes it is also necessary to have a copy of the user's cert DB (but not key db). Most of the time, the problems are caused by the issuance of certs with duplicated issuer names and serial numbers, or issuance of certs whose subject names are identical to their issuer names, but that are not self signed. -- Nelson B
