I am trying to create an object signing certificate with SSLeay for
use with netscape and the netscape package signing tool (signtool
1.0), but am having no luck. Maybe someone can straighten me out.
Either tell me that this is not possible with SSLeay, or tell me what
I've done wrong. Flame me if necessary. I don't care ... just want
to understand this stuff.
Here's what I've done:
1. Running SSLeay 0.8.1 on redhad linux
2. Used the "CA.sh" script to create a CA:
"CA.sh -newca"
Please note that before doing this, I edited the ssleay.cnf file
and set the nsCertType to 0x07, which appears to be the cert type
required for a CA that wants to be able to certify object
signing certs, email certs and ssl certs.
3. Imported the CA certificate ("demoCA/cacert.pem") into my
netscape 4.0.4 browser.
4. Using both netscape and the netscape signtool utility, verified
that my CA certificate was loaded into the ns certificate db's:
"cert7.db" and "key3.db".
5. Edited ssleay.cnf and changed the "nsCertType" to "0x50", which
appears to be the cert type required for server object signing, and
ssl.
6. Ran "CA.sh -newreq" and "CA.sh -sign" in order to create the new
object signing certificate.
7. Imported the object signing certificate ("newcert.pem") into my
netscape 4.0.4 browser.
8. Using both netscape and the netscape signtool utility, verified
that my object signing certificate was loaded into the ns certificate
db's: "cert7.db" and "key3.db". Note that signtool recognizes
the new cert as an object signing cert. Verified with "signtool
-l". It does *not* complain about a lack of an issuer certificate
(because of steps #2 & #3 above).
That is the limit of my success. At this point, I try to sign
objects using the new certificate and signtool as follows:
signtool -k testOBJcert -J ./
But signtool complains:
'signtool: the cert "testOBJcert" does not exist in the database: No
certificate'.
This confuses me. "signtool -l" says that a valid object signing
certificate called "testOBJcert" exists, but "signtool -k testOBJcert
-J ./"
__________________________________________________________
William Dorfmann <[EMAIL PROTECTED]>
KE Software Inc.
Suite 303, 601 West Broadway
Vancouver B.C. V5Z 4C2 CANADA
Tel: (604)877-1960 x 11
Fax: (604)877-1961
WWW: http://www.kesoftware.com
PGP public encryption key at: http://www.kesoftware.com/~dorfmann
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
