Re: Certificate Import Question
suckerformimi wrote: I have the private key, but it's in a separate file. What is the format of that private key file ? How did you get it ? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
I installed version 3.9 of NSS but i still get the same results: > certutil -A -n "SingShot Code Signing" -t "TC,TC,TC" -d . -i mycert.p12 certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message. I'm still at NSPR v4.6.1, but the bug report has NSS listed as the Product. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
I did manage to import the Thawte Code Signing cert (not key, sorry). So now I'm down to the second 2. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
I have verified that "Thawte Premium Server CA" is built in (using certutil -L -d . -h all). "Thawte Code Signing CA - Thawte Consulting cc" is not. I have the private key, but it's in a separate file. The only way I know of importing it into an NSS db is to convert the cert + key to a p12 file using IE. But certutil and pp both choke on my PKCS12 files - they both give me "improperly formatted DER-encoded message". They both work fine on my certs if I don't include the keys, i.e., if I export as DER or base-64, but then signtool can't find the private key (obviously). So my 3 hypotheses are: 1. That I need to get the Thawte Code Signing key 2. That I'm running into a known bug in NSS (see above) 3. The certificate is bad ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
Nelson B wrote: Now, I'm guessing that you "enrolled" to get your cert using Windows software. [...] You need to "export" all the stuff I listed above into a "PKCS12" file (a file with a .p12 or .pfx suffix). Windows' cert manager will happily let you do that. Not necessarily, because the key can have been generated at enrolling time with exportation forbidden. That is the default, so unaware users are very at risk of getting that. And then there's no solution to that except to revoke and enroll for a new cert, and make sure that when the key gets generated exportation is allowed. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
suckerformimi wrote: > I was right-clicking the cert Windows Explorer (file manager) and > opening the cert with MS Crypto Shell Extensions. OK, so any information you saw there was of no relevance to mozilla products, including the names of the certs (e.g. "SignShot") displayed there. > But I was importing and attempting to sign code with the NSS tools. Ok, to do that, you need to import all the following into NSS: a) the private key that corresponds to the public key in your cert b) your public key cert c) Any CA certs between your cert and the root issuing CA, if any. Now, I'm guessing that you "enrolled" to get your cert using Windows software. So, your private key is in one of Windows' key stores. You need to "export" all the stuff I listed above into a "PKCS12" file (a file with a .p12 or .pfx suffix). Windows' cert manager will happily let you do that. Before doing that, you need to ensure that that the cert you're going to export has a "friendly name", using Windows cert manager. When you export it to a pfx file, you need to give the pfx file a password. (Windows Cert manager will let you export it without a password but NSS won't let you import a pfx file without a password). > I've imported the certificate into a db in the current folder using NSS > > certutil -A -n "SingShot Object Signing" -t "TCu,TCu,TCu" -d . -i > mycert.spc > > When I do > > certutil -L -d . > I get: > > SingShot Object Signing CT,C,C > > myTestCertu,u,Cu The "u" character means that NSS has the private key that goes with that cert. You can try to set that "u" flag yourself, (as you did in the above example), but it will have no effect. If you have the private key, then the u will appear, and if you don't, it won't. > Should there be a 'u' in the 3rd column for the 'SingShot Object > Signing' cert if it's valid for signing code? I suppose that might be > the difference between my Thawte and temporary certs. You have to have the private key in order to sign anything, and apparently you don't. So you've imported the cert, but not the private key, You need to import both. Your cert shouldn't need any special trust flags. The argument -t ",," should work just fine, if you've got your issuer CA cert in your cert DB (or in the "builtin" list of CAs. > How can I tell whether my certificate will even work for signing code > using NSS tools? Well, once you have the cert AND private key imported, it should work. You're doing a good job of figuring out most of this stuff by yourself, which is commendable. So, keep going and I think soon you'll have it solved. -- Nelson B ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
I was right-clicking the cert Windows Explorer (file manager) and opening the cert with MS Crypto Shell Extensions. But I was importing and attempting to sign code with the NSS tools. I've imported the certificate into a db in the current folder using NSS > certutil -A -n "SingShot Object Signing" -t "TCu,TCu,TCu" -d . -i mycert.spc When I do > certutil -L -d . I get: > SingShot Object Signing CT,C,C > myTestCertu,u,Cu Should there be a 'u' in the 3rd column for the 'SingShot Object Signing' cert if it's valid for signing code? I suppose that might be the difference between my Thawte and temporary certs. How can I tell whether my certificate will even work for signing code using NSS tools? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
Paul wrote: > Is it possible that the leaf didn't make it into the db? When I do > > > signtool -d . -k "SingShot Media" -p "mypwd" signed/ Yes, except that you have offered one piece of relatively strong evidence to the contrary, namely, that cert chain in your original post. If that cert chain was displayed by mozilla software (e.g. FireFox) then I'd say the cert must be in your cert DB (or else mozilla couldn't have displayed it). If that cert chain was displayed by some other software, e.g. Windows' own cert manager) then yes, it's possible that the cert is not in your cert DB. > I get : > > signtool: the cert "SingShot Media" does not exist in the database. Did your cert have an email address in it? If so, try substituting that email address for "SingShot Media" in the signtool command above. > Also, how can I check to see whether the cert contains any extensions? You apparently have certutil and signtool, two of NSS's numerous tools. What others do you have? And from what version of NSS do they come? If you have "pp" and if your SingShot cert is in a binary file, you can try pp -t certificate -i yourfile or if your cert is stored in a base64 encoded ascii file, you can try pp -t certificate -a -i yourfile -- Nelson B ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
Paul wrote: > I got the tree by right-clicking on the certificate and selecting > "Open" in Windows. In FireFox on Windows? or in Windows Explorer (file manager) ? or in Windows cert manager? or ? MS Windows has its own cert store and its own cert manager, which are completely separate from the ones used by mozilla products such as FireFox. AFAIK, no FireFox products ever list the cert chain with the leaf (EE) cert on top and the root cert on bottom, which makes me suspect that you might have been looking in NS Windows' software rather than FireFox's. > And yes, I got the contents of the my certificate db with certutil -L OK. > The good news is that there is a * beside "Thawte Code Signing CA" when > I do > > certutil -L -d . I'm not aware of any special significance of an asterisk in the output of NSS's certutil program. > Also, I was able to sign my code using a temporary certificate. How was that temp cert different from the other one? > However, when I do > > signtool -d . -k "Thawte Code Signing CA" -p "" signed/ > > I get : > warning - can't find private key for this cert Right. You tried to sign using Thawte's CA cert, and you don't have the private key for that cert. > signtool: PROBLEM signing data (Unknown Issuer) That's strange. But I think it's irrelevant. The primary problem was not having the private key. -- Nelson B ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
Is it possible that the leaf didn't make it into the db? When I do > signtool -d . -k "SingShot Media" -p "mypwd" signed/ I get : signtool: the cert "SingShot Media" does not exist in the database. Also, how can I check to see whether the cert contains any extensions? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
The good news is that there is a * beside "Thawte Code Signing CA" when I do > certutil -L -d . Also, I was able to sign my code using a temporary certificate. However, when I do > signtool -d . -k "Thawte Code Signing CA" -p "" signed/ I get : warning - can't find private key for this cert signtool: PROBLEM signing data (Unknown Issuer) the tree signed/ was NOT SUCCESSFULLY SIGNED Any ideas? I'm looking into it now, but it's been a long day . . . ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
Thanks for this. I'll assume for now that the SingShot Media certificate is in the DB but isn't being displayed. I got the tree by right-clicking on the certificate and selecting "Open" in Windows. And yes, I got the contents of the my certificate db with certutil -L ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certificate Import Question
suckerformimi wrote: > I can't tell if my certficate imported properly. When I open the > certificate it shows me the following certification chain: > SingShot Media > Thawte Code Signing CA > Thawte Premium Server CA Out of curiosity, which tool shows the hierarchy like that, with the root at the bottom and the leaf at the top? > When I list the contents of my certificate DB I get > Thawte Code Signing CA c,c,C I gather that's the output of certutil -L . Yes? > Should I be seeing only the one certificate in the DB, or all three? > Shouldn't I at least be seeing our "SingShot Media" certificate? Ordinarily, certutil doesn't list the contents of the "built in" root cert module. To include the listing of built-ins, add "-h all" to your certutil -L command. I think that explains why you didn't see the root in the list. As for why you didn't see the leaf, I'd guess that the cert in question contains one or more critical extensions that are unknown to NSS. It used to be that NSS would not import a cert with unknown critical extensions. Now NSS will import it, but certutil will not display it. :-/ Could also be a consequence of this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=335021 > Also, I've searched all over looking for some documentation on certutil > and signtool. Is there any around? Start looking here: http://www.mozilla.org/projects/security/pki/nss/tools/index.html > Regards, > > Paul -- Nelson B ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
