> When I edit the CA certificate there are three check boxes: > X This certificate can identify web sites > _ This certificate can identify mail users > X This certificate can identify software makers. > > I belive that 'software makers' is the role that is needed here. I have > both 'web sites' and 'software makers' checked.
The CA cert itself says that it is only valid for object signing, which means that it is not valid for identifying web sites or email. So, the only one you should check is "software makers".
> I think if you check 'software makers' on the certificate, you will get > there.
After I had downloaded the cacert and marked it trusted for software makers, I exited the browser, and then ran the signtool program to check the validity of the signature. It said the file's signature was valid on both files.
I used the signtool program and DLLs from NSS 3.9. There is a REALLY ANCIENT version of signtool on developer.netscape.com that no-one should be using any more. Please use the current version.
Anyway, based on my test with signtool, I conclude that if NSS's jar file signature code is used properly (by the browser) with this jar file, it will get the right result. So, I don't think any bug in NSS's jar file signature verification code has been identified here.
> I think I am going to regenerate my set of certificates tonight (my > notes on doing this are at home).
If you do, be CERTAIN that you do not reuse any previously used serial numbers. That is the #1 most common mistake made by people who play CA.
> The root of the problem may be how the CA was created. The common > name (CN) is 'arcamax.com nss root CA'. > I suspect it should just be a domain name.
A cert for a CA that issues SSL server certs does not need to have any domain name in the subject name or subject alternate names.
I still don't quite understand what the original problem was, so it's difficult for me to advise you about that.
The CA certificate you have now plainly says that it is good only for signing object signing certs. If you want it to be valid for other purposes, such as for issuing SSL server certs, you must put those other purposes into the extended Key Usage extension.
The server from which the jar file is being downloaded has a cert from the Verisign/RSA secure server CA. So, I'm not sure why you want your object signing root CA cert to be valid for SSL servers.
> Bryan White
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
