Nelson, thank you very much for your reply. I have attempted to sign the jar file again watching out for the steps you mentioned along the way. Here some information: 1. after I import the p12/pfx file into mozilla via its cert manager, mycert shows up as well as a new intermediate cert in the authorities tab. 2. I close the browser and attempt to sign. This does not work stating "the issuer cert is invalid" 3. I reopen browser and check the intermediate cert. It is there: intermediatecert "software security device". It is verified for ssl server cert, email signer cert, email recepient cert, ssl cert authority, and status responder cert. 4. I click on edit and none of the three trust options are set. I set "cert can identify software makers". I close the browser. 5. I attempt to sign again. This time it work and I upload my jar to my web server. 6. I open my browser and remove the intermediate cert as well as my cert and close my browser. 7. I open the signed file in a newly opened browser --- it doesnt seem to recognize the signed file.
I suspect there that either the intermediate cert was not included while signing or there is an issue with recognizing what the intermediate cert is entrusted with (similar issue as step 2-4 above. Is there any way I can check what certs are included in the jar file and what they are entrusted with? Thanks again for your help - Christian Nelson B wrote: > Christian <[EMAIL PROTECTED]> wrote: > > Hello all, I am trying to sign javascript files and running into some > > issues. Hopefully someone can point me into the right direction. > > > > I did obtain a code signing certificate from Certum. > > They issue the certificate as part of a chain: > > certum root CA -> certum level I -> mycert. > > I presume you obtained that cert with your browser. That is, > you visited a certum web site that caused your browser to generate a > pair of keys, a private key and a public key. The public key went > into the certificate that Certum issued to you. The private key > remained in your browser's key3.db file. > > Or perhaps you generated your key pair using using other program, > such as OpenSSL, in which case your private key is in whatever file > OpenSSL put it in. > > Either way, you'll need that private key, in addition to your certificate > chain, when you go to sign your files. > > > I created a cert db with the certutils prg: > > 1. certutil.exe -N -d > > That created 3 files, cert8.db, key3.db and secmod.db, all effectively > empty. > > > I have three cer files: one for each cert in the chain. Since certum > > root ca is already contained in the list of root certs, I do not bother > > to import this one. However, I do import certum level I and mysert: > > 2. certutil.exe -A -t Cu -n "Certum Level I" -i certum1.cer -d . > > 3. certutil.exe -A -t u -n "mycert" -i mycert.cer -d . > > You're planning on relying on the browsers' built-in list of root CA certs. > That's fine. But the signing program will need access to that list to do > its job. It will want to recreate the entire cert chain. To do that, it > will need access to that root CA cert. You can either import that cert > too, or else make a copy of the built-in root certs module available to > the signing program. > > Also, the sequence of commands you showed above have put your cert and > the intermediate CA cert into your new cert8.db file, but have not put > your private key into the corresponding key3.db file. You'll need to > do that. I can't advise you how to do that until we know where that > private key is (e.g. Windows key store, OpenSSL file, mozilla key3.db file, > etc.) > > > I attempt to sign a javascript file and it fails. A check with signtool > > -l -d . reveals that the cert is not valid: > > > > H:\keys\code sign>c:signtool -l -d . > > using certificate directory: . > > > > Object signing certificates > > --------------------------------------- > > mycert > > Issued by: Certum Level I (Certum Level I) > > Expires: Thu Oct 26, 2006 > > ++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority > > certificate invalid) > > --------------------------------------- > > For a list including CA's, use "signtool -L" > > > I assume I am doing something wrong on the import since these certs are > > chained. I know that the certs are good as they seem to be accepted by > > the microsoft certificate manager. I am banging my head against my > > keyboard. Any help would be greatly appreciated. > > Your poor keyboard! :) > > Your signing program probably can't validate that cert because it cannot > find the trusted Certum root certificate that issued it. > > You could import the certum root and mark it trusted for object signing, > or you could copy the browser's list of trusted root CA certs into your > signing directory and tell the signing tool to use it. > > To mark a root CA cert trusted for object signing, you need to set the > trust arguments as ",,C" (not "C"). > > To use the browser's list of trusted root CA certs, find the file > nssckbi.dll among your (mozilla family) browser's files, and copy it to > the directory where you put your new cert8.db file. Then run a command > to configure the NSS tools to know about that nssckbi.dll file. > I think you can do that with the command: > certutil -L -d . -X -h all > If it succeeds, it will list all the certs found in the nssckbi.dll file. > Afterwords, your signtool will (er, should) be happier with your > Certum Level 1 intermediate CA cert. > > > > > Thanks- > > Christian > > Later, Christian wrote: > > > Well, I got a bit further on this. > > > > I was able to get the javascript signed, but the certificate (since it > > is in a chain of which the middle cert is unknown to mozilla) was not > > recognized since it was in a chain. > > If the certum 1 intermediate CA cert was in the cert8.db file when you > ran signtool, it should have been copied into the signed file. > > > Here the steps: > > 1. I converted my spc and pvk into pfx using the pvkimprt tool (on Win > > 2K since this tool doesnt work on Win XP) > > 2. Imported the pfx into the cert management of mozilla browser > > OK, so you got your cert and your private key into the browser's cert > and key DB files. If the pfx file also contained the certum level 1 > intermediate CA, that cert would also have been imported into your cert > DB file, but based on the results you got, I think it was not in that > pfx file. > > > 3. used the signtool to sign the javascript pointing the signtool to > > the mozilla cert db (its in the users directory under > > mozilla/profiles). > > Yes, that should have worked. Using the cert, key and secmod.db files > from the browser should work, AS LONG AS the browser is not running when > the other tools are running. > > You should be able to see your cert in the browser's cert manager, and > should be able to verify that its chain is complete, no missing certs. > If the chain is incomplete, you should import the missing certs into > your cert DB before doing the signing (using either the browser itself > or using certutil). Remember to have only one program using the DBs at > a time. The browser should not be running when you're using certutil or > signtool on your browser's cert and key DB files. > > > Once I generated my signed jar, I removed all added certs from mozilla > > and opened the javascript in the jar. Result was that the cert was not > > recognized: > > > certum root CA -> certum level I -> mycert and certum level I is not a > > cert that is delivered with mozilla. HOwever, certum root CA is... > > > Once I import certum level I, it works fine, however that is of no use > > to the users on the net as I cant ask them to import some cert. I > > wonder, however, whether it is possilbe to deliver the missing cert as > > part of the signed jar file? > > When you sign the jar file, signtool will put as much of the cert chain > into the JAR file as it can find. If signtool can't find the complete > chain, it will put an incomplete chain into the JAR. If your JAR file > doesn't have the complete chain, then signtool couldn't find the complete > chain in the cert DB and nssckbi.dll files to which it had access. > The implication is that the Certum 1 intermediate CA cert was not in the > browser's cert8.db file when you used it to run signtool. > > > Any pointers on whether this is possible and how to do so? > > Make sure that the complete chain is available to signtool, then try > signing again. > > -- > Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
