Oliver Floericke wrote:
>
> Hi there,
>
> I'm trying to create a certificate with openssl that I can import into
> Netscape and then use this for signing jar files.
>
> The problem I have is that even the import is runing without problems my CA
> certificate (not the one I want to use for the signing) is not mentioned in
> the Signers Section and running the signtool I get the message that the
> certificate (now the one I use for certification) is 'not approved for this
> operation'. If I try to import my CA certificate stand alone it always go to
> 'own certificates' and not to 'Signer'.
>
> Before you ask me: Yes I was looking into the PKCS#12 FAQ from Dr. Henson
> but I still have the problem :-(
>
> My nsCertType in the usr_cert section of openssl.cnf is set to objSign, and
> in the v3_ca to sslCA, emailCA.
>
What about objCA as well?
Also there are a few problems with object signing certificates (and some
others) in Netscape. If the names are identical, or very close it can
get confused. Netscapes certificate and key database is alas a bit
fragile :-(
If you still have problems send me the zipped or gziped PKCS#12 file and
I'll have a look at it: this is to avoid Netscape sending the file as
text/plain and breaking it.
Regards, Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
