Hey, thanks for you feedback.
On Sep 25, 3:07 pm, Kaspar Brand <m...@velox.ch> wrote:
> Adriano Bonat wrote:
> > adri...@planck:~/Tmp/empty_db$ nss-signtool -d . -l
>
> > Object signing certificates
> > ---------------------------------------
> > COMPANY LLC's Starfield Technologies, Inc. ID
> > Issued by: Starfield intermediate
> > Expires: Mon Sep 19, 2011
> > ---------------------------------------
>
> This looks good, actually - the trust settings in this (newly created)
> cert DB meet signtool's expectations.
>
> > adri...@planck:~/Tmp/empty_db$ nss-certutil -V -n "COMPANY LLC's
> > Starfield Technologies, Inc. ID" -u O -d .
> > nss-certutil: certificate is invalid: Certificate type not approved
> > for application.
>
> You should use "-u J" when verifying an object signing cert ("O" is for
> OCSP status responder), so this error message is just a red herring.
uh... my mistake, thanks for pointing it :)
> > Am I doing something wrong?
>
> I don't think so, but it's quite possible that you're running into the
> issue reported in
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=321156
>
> because the intermediate CA cert (available
> fromhttp://certificates.starfieldtech.com/repository/sf_intermediate.crt)
> does not have an EKU nor a netscape-cert-type extension.
I understand, do you think that GoDaddy can do something about that?
In case no, if I want to sign my extension I will have to buy a code
signing certificate from another company like Verisign and Thawte, any
cheaper one that simply works?
> When you list the certificates in your Firefox DB with certutil (make
> sure you're shutting down Firefox first), I assume that the line with
> "Starfield Secure Certification Authority" does not show ",,c", is that
> correct?
Yes, that's correct. I did set the value ",,c" using certutil.
Thanks again.
-Adriano Bonat
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
