Christian, I see you're not the first person to have had troubles with this.
See http://forums.tjworld.net/viewtopic.php?p=210 and https://bugzilla.mozilla.org/show_bug.cgi?id=321156 . Based on your description (which I'll not quote here), I think your intermediate CA cert does not have the extension that makes it eligible to issue object signing certs. There are two similar PKI schemes for signing of files containing code (scripts, executables, whatever). They are known as "object signing" and "code signing". Object signing cert chains have special extension in every cert in the chain (except the root) that makes them eligible to be used for object signing. Code signing has a special extension in the "End Entity" cert, but not in the CA certs. It sounds like you have a code signing cert chain. But mozilla wants an object signing cert chain. And IIRC, signtool wants an object signing cert chain also. When you mark the intermediate CA cert as trusted for object signing, that tells NSS to behave as if the cert did have that extension, which is why signtool then works. But when you remove the cert from the certdb, it loses that trust marking (which is an override for the missing extension) and so when you download it from the server, once again the cert lacks the object signing extension, and so that cert chain validation fails. I can see a few ways out of this: a) get an object signing cert from a different CA, or b) get Certum to create an intermediate CA with the object signing extension and then reissue your cert subordinate to that new intermediate, or c) get mozilla to change their XPI security checking code, to require code signing instead of object signing, or to require either one, or d) get the NSS team to change NSS to accept code signing cert chains whenever it is told by the appliation to require object signing cert chains. Any of the last 3 require getting some entrenched group to budge. I'll do what I can for the last two. You can tackle the first two. Regards, /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
