Hello all, I am trying to sign javascript files and running into some
issues. Hopefully someone can point me into the right direction.
I did obtain a code signing certificate from Certum. They issue the
certificate as part of a chain: certum root CA -> certum level I ->
mycert.
I created a cert db with the certutils prg:
1. certutil.exe -N -d
I have three cer files: one for each cert in the chain. Since certum
root ca is already contained in the list of root certs, I do not bother
to import this one. However, I do import certum level I and mysert:
2. certutil.exe -A -t Cu -n "Certum Level I" -i certum1.cer -d .
3. certutil.exe -A -t u -n "mycert" -i mycert.cer -d .
I attempt to sign a javascript file and it fails. A check with signtool
-l -d . reveals that the cert is not valid:
H:\keys\code sign>c:signtool -l -d .
using certificate directory: .
Object signing certificates
---------------------------------------
mycert
Issued by: Certum Level I (Certum Level I)
Expires: Thu Oct 26, 2006
++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority
certificate
invalid)
---------------------------------------
For a list including CA's, use "signtool -L"
I assume I am doing something wrong on the import since these certs are
chained. I know that the certs are good as they seem to be accepted by
the microsoft certificate manager. I am banging my head against my
keyboard. Any help would be greatly appreciated.
Thanks-
Christian
Reply ยป Rate this post: Text for clearing space
From: [EMAIL PROTECTED] - view profile
Date: Mon, Aug 28 2006 9:18 am
Email: [EMAIL PROTECTED]
Groups: netscape.public.mozilla.crypto
Not yet ratedRating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show
original | Remove | Report Abuse | Find messages by this author
Well, I got a bit further on this.
I was able to get the javascript signed, but the certificate (since it
is in a chain of which the middle cert is unknown to mozilla) was not
recognized since it was in a chain.
Here the steps:
1. I converted my spc and pvk into pfx using the pvkimprt tool (on Win
2K since this tool doesnt work on Win XP)
2. Imported the pfx into the cert management of mozilla browser
3. used the signtool to sign the javascript pointing the signtool to
the mozilla cert db (its in the users directory under
mozilla/profiles).
Once I generated my signed jar, I removed all added certs from mozilla
and opened the javascript in the jar. Result was that the cert was not
recognized:
certum root CA -> certum level I -> mycert and certum level I is not a
cert that is delivered with mozilla. HOwever, certum root CA is...
Once I import certum level I, it works fine, however that is of no use
to the users on the net as I cant ask them to import some cert. I
wonder, however, whether it is possilbe to deliver the missing cert as
part of the signed jar file?
Any pointers on whether this is possible and how to do so?
Christian
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
