Re: Certificate not approved for this operation
On aug. 22, 19:59, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > giorgio <[EMAIL PROTECTED]> wrote on 2008-08-22 06:01 PDT: > > > When you create a test certificate with signtool it is valid only for > > 3 months. > > It's valid for YOUR testing (only) for some time. It's not valid at any > time for generating signatures that will be verifiable by other users, > because it is not issued by a known CA. > > > > > > > I would like to know whether it is possible to convert a microsoft > > test certificate and use it with Firefox for object signing. > > > This is what I try to do: > > 1., I have a test.pfx created with microsoft signtool valid for 40 > > years > > 2., I use the pk12util to import it > > > using signtool -L -d. my cert has no asterisk before the name, I guess > > that is the problem. > > > When using with signtool, I get this (obviously) > > > Generating zigbert.sf file.. > > signtool: PROBLEM signing data (Certificate not approved for this > > operation) > > > Since it is a test certificate is not there a way to change it to be > > suitable for object signing as well? > > There may be a way to force NSS to generate a signature anyway, but the > resultant signature would not be of value to others. > > Let's say that you've listed your cert DB with certutil and found your > cert there to be named . Then the command > certutil -d DB -M -t "u,u,Pu" -n "" > (where DB is the name of the directory with your cert DB) > will set an override flag that MAY enable you to generate a signature > anyway, but the resultant signature will be of no value to anyone who > doesn't have your cert in their cert DB marked in that special way. > > > Using microsoft certificate store, there is a way to add any kind of > > object identification, > > Yes, Microsoft Windows' API for getting the values of cert extensions > actually looking in the cert store to see if the cert store contains any > additional certificate extensions that were stored with the cert. If so, it > will return those extensions, just as if it had found them in the cert > itself. This serves the same purpose as NSS's "trust flags", and is > considerably more flexible. :-/ (I believe one could add a name > constraints extension to a root CA that way, for example.) > > > anyone knows the code (OID) for this purpose (object signing)? > > But NSS doesn't use Microsoft's cert stores and doesn't use Microsoft's > API for getting extensions from certs in the cert stores. So, even if > you do put the object signing OID into the Extended Key Usage extension > for that cert in Windows' cert store, it won't have any effect on NSS. > > > Is there another way to create (with nss tools) a test certificate > > which is valid mush more time than 3 months? > > Yes, but only valid for YOUR own testing, not valid for others to > verify your signature. Is that really of help to you? Given that a > test cert is limited to being for your own personal testing purposes, > is 3 months not enough? I really need it for test purpose only. Yes, it would be an equivalent for the real cert I mentioned in my other topic. It is inconvenient to recreate it in every 3 months, that is why I thought, if I have a test cert I have created with ms tools, I could somehow port to the nss cert db. This is for a firefox extension which is part of a commercial product. Therefore, we have the test cert checked in the tfs and the developers get the test cert only to be able to compile it. The daily build gets the real cert, so it is compiled with that. The testers use that. The developers compile for themselves, but the real cert is not given to them. You can say, I am lazy (I am responsible for this test cert), but if there any chance to avoid recreating the test cert so frequently, I would like to use that method. So, please describe it, how to force signtool to create e.g. a 5 year test cert. Currently I use this signtool -G test -d . It creates x509.cacert, I need that one, too. I need to import that into Firefox, so it would recognize the cert, when installing the xpi. Thanks, Nelson > I was going to tell you to get a real code signing cert, but in another > message that you posted today, you seem to say that you already have one. > So that shouldn't be an issue for you.- Idézett szöveg elrejtése - > > - Idézett szöveg megjelenítése - ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate not approved for this operation
giorgio <[EMAIL PROTECTED]> wrote on 2008-08-22 06:01 PDT: > When you create a test certificate with signtool it is valid only for > 3 months. It's valid for YOUR testing (only) for some time. It's not valid at any time for generating signatures that will be verifiable by other users, because it is not issued by a known CA. > I would like to know whether it is possible to convert a microsoft > test certificate and use it with Firefox for object signing. > > This is what I try to do: > 1., I have a test.pfx created with microsoft signtool valid for 40 > years > 2., I use the pk12util to import it > > using signtool -L -d. my cert has no asterisk before the name, I guess > that is the problem. > > When using with signtool, I get this (obviously) > > Generating zigbert.sf file.. > signtool: PROBLEM signing data (Certificate not approved for this > operation) > > Since it is a test certificate is not there a way to change it to be > suitable for object signing as well? There may be a way to force NSS to generate a signature anyway, but the resultant signature would not be of value to others. Let's say that you've listed your cert DB with certutil and found your cert there to be named . Then the command certutil -d DB -M -t "u,u,Pu" -n "" (where DB is the name of the directory with your cert DB) will set an override flag that MAY enable you to generate a signature anyway, but the resultant signature will be of no value to anyone who doesn't have your cert in their cert DB marked in that special way. > Using microsoft certificate store, there is a way to add any kind of > object identification, Yes, Microsoft Windows' API for getting the values of cert extensions actually looking in the cert store to see if the cert store contains any additional certificate extensions that were stored with the cert. If so, it will return those extensions, just as if it had found them in the cert itself. This serves the same purpose as NSS's "trust flags", and is considerably more flexible. :-/ (I believe one could add a name constraints extension to a root CA that way, for example.) > anyone knows the code (OID) for this purpose (object signing)? But NSS doesn't use Microsoft's cert stores and doesn't use Microsoft's API for getting extensions from certs in the cert stores. So, even if you do put the object signing OID into the Extended Key Usage extension for that cert in Windows' cert store, it won't have any effect on NSS. > Is there another way to create (with nss tools) a test certificate > which is valid mush more time than 3 months? Yes, but only valid for YOUR own testing, not valid for others to verify your signature. Is that really of help to you? Given that a test cert is limited to being for your own personal testing purposes, is 3 months not enough? I was going to tell you to get a real code signing cert, but in another message that you posted today, you seem to say that you already have one. So that shouldn't be an issue for you. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate not approved for this operation
What are the key-usage and extended key-usage extension values in the certificate issued by MS signtool? Once a certificate has been issued, it cannot be changed. You have to reissue the certificate (as a new one) if you want any changes in it. You should be able to generate a certificate of whatever duration you desire with the tools; you just need to specify it explicitly when creating the certificate. Out of curiosity, what is the key-size for the key-pair of this 40-year certificate? Arshad Noor StrongAuth, Inc. [EMAIL PROTECTED] wrote: > Hi, > > When you create a test certificate with signtool it is valid only for > 3 months. > I would like to know whether it is possible to convert a microsoft > test certificate and use it with Firefox for object signing. > > This is what I try to do: > 1., I have a test.pfx created with microsoft signtool valid for 40 > years > 2., I use the pk12util to import it > > using signtool -L -d. my cert has no asterisk before the name, I guess > that is the problem. > > When using with signtool, I get this (obviously) > > Generating zigbert.sf file.. > signtool: PROBLEM signing data (Certificate not approved for this > operation) > > Since it is a test certificate is not there a way to change it to be > suitable for object signing as well? > Using microsoft certificate store, there is a way to add any kind of > object identification, anyone knows the code (OID) for this purpose > (object signing)? > > Is there another way to create (with nss tools) a test certificate > which is valid mush more time than 3 months? > > TIA, > giorgio71 > > > > ___ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Certificate not approved for this operation
Hi, When you create a test certificate with signtool it is valid only for 3 months. I would like to know whether it is possible to convert a microsoft test certificate and use it with Firefox for object signing. This is what I try to do: 1., I have a test.pfx created with microsoft signtool valid for 40 years 2., I use the pk12util to import it using signtool -L -d. my cert has no asterisk before the name, I guess that is the problem. When using with signtool, I get this (obviously) Generating zigbert.sf file.. signtool: PROBLEM signing data (Certificate not approved for this operation) Since it is a test certificate is not there a way to change it to be suitable for object signing as well? Using microsoft certificate store, there is a way to add any kind of object identification, anyone knows the code (OID) for this purpose (object signing)? Is there another way to create (with nss tools) a test certificate which is valid mush more time than 3 months? TIA, giorgio71 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
