suckerformimi wrote: > I was right-clicking the cert Windows Explorer (file manager) and > opening the cert with MS Crypto Shell Extensions.
OK, so any information you saw there was of no relevance to mozilla products, including the names of the certs (e.g. "SignShot") displayed there. > But I was importing and attempting to sign code with the NSS tools. Ok, to do that, you need to import all the following into NSS: a) the private key that corresponds to the public key in your cert b) your public key cert c) Any CA certs between your cert and the root issuing CA, if any. Now, I'm guessing that you "enrolled" to get your cert using Windows software. So, your private key is in one of Windows' key stores. You need to "export" all the stuff I listed above into a "PKCS12" file (a file with a .p12 or .pfx suffix). Windows' cert manager will happily let you do that. Before doing that, you need to ensure that that the cert you're going to export has a "friendly name", using Windows cert manager. When you export it to a pfx file, you need to give the pfx file a password. (Windows Cert manager will let you export it without a password but NSS won't let you import a pfx file without a password). > I've imported the certificate into a db in the current folder using NSS > > certutil -A -n "SingShot Object Signing" -t "TCu,TCu,TCu" -d . -i > mycert.spc > > When I do > > certutil -L -d . > I get: > > SingShot Object Signing CT,C,C > > myTestCert u,u,Cu The "u" character means that NSS has the private key that goes with that cert. You can try to set that "u" flag yourself, (as you did in the above example), but it will have no effect. If you have the private key, then the u will appear, and if you don't, it won't. > Should there be a 'u' in the 3rd column for the 'SingShot Object > Signing' cert if it's valid for signing code? I suppose that might be > the difference between my Thawte and temporary certs. You have to have the private key in order to sign anything, and apparently you don't. So you've imported the cert, but not the private key, You need to import both. Your cert shouldn't need any special trust flags. The argument -t ",," should work just fine, if you've got your issuer CA cert in your cert DB (or in the "builtin" list of CAs. > How can I tell whether my certificate will even work for signing code > using NSS tools? Well, once you have the cert AND private key imported, it should work. You're doing a good job of figuring out most of this stuff by yourself, which is commendable. So, keep going and I think soon you'll have it solved. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
