With <signtool -l> I always get: ----------------------------------- My Client's name's VeriSign, Inc. ID Issued by: VeriSign Class 3 Code Signing 2004 CA - VeriSign, Inc. (VeriSign Class 3 Code Signing 2004 CA) Expires: Sat Dec 17, 2005 ++ Error ++ ISSUER CERT "VeriSign Class 3 Code Signing 2004 CA - VeriSign, Inc." IS NOT VALID (security error -8174<or 8055>) ----------------------------------- I downloaded the certificate with Netscape7.01 I tried also to export it in .p12 and to reimport with -netscape 4.76 -NSS3.6 pk12util.exe -NSS3.9 pk12util.exe but I always get the same error. What can I do?
Thank you. Jacopo Zamberlan
Error -8174 is: Security library: bad database - This means you haven't specified the proper directory where the key3.db,cert8.db, and secmod.db live
Error -8055 is: No matching CRL was found. - I haven't seen this one personally, and can't comment on a fix, but I can suggest importing the CRL for the issuer of your certificate (where to get it might be on the cert as a CDP, "CRL Distribution Point").
The first error is easy to fix, you're not specifying something that is needed on the command line. When I run "signtool -l" I get this:
* C:\Documents and Settings\dstutzman>signtool -l
* You must specify the location of your certificate directory
* with the -d option. Example: -d ~/.netscape in many cases with Unix.
which points to the fix.
Basically you want to add "-d <netscape profile dir>" to your command like so:
C:\Documents and Settings\dstutzman>signtool -l -d "%USERPROFILE%\Application Data\Mozilla\Profiles\default\pzfvvhzd.slt"
using certificate directory: C:\Documents and Settings\dstutzman\Application Data\Mozilla\Profiles\default\pzfvvhzd.slt
Object signing certificates
---------------------------------------
David Stutzman's pki.mil ID
++ Error ++ Unable to find issuer certificate
tnosc.pki.mil ID CA
Issued by: root-ca.pki.mil Root CA (DoD CLASS 3 Root CA)
Expires: Thu Nov 04, 2010
conus.pki.mil ID CA
Issued by: root-ca.pki.mil Root CA (DoD CLASS 3 Root CA)
Expires: Fri Oct 29, 2010
conus.pki.mil Email CA
Issued by: root-ca.pki.mil Root CA (DoD CLASS 3 Root CA)
Expires: Fri Oct 29, 2010
tnosc.pki.mil Email CA
Issued by: root-ca.pki.mil Root CA (DoD CLASS 3 Root CA)
Expires: Thu Nov 04, 2010
---------------------------------------
For a list including CA's, use "signtool -L"Now, If you don't know where you're Netscape profile lives, then do a search for "*.slt" and it should find the folder for you. Then just specify the path to that folder (enclosed in "" if it has spaces in it) after the -d option to signtool and you should be in good shape.
-Dave _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
