On Jun 18, 3:41 am, Kaspar Brand <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > If I got that part right, then when I loaded the x509.cacert into my > > XUL application and tried to use signtool to sign an archieve, it was > > failing because I was trying to sign with a public key. > > Ok, so it seems that you created a self-signed object signing cert (with > signtool -G), which you also use as a CA cert at the same time - is that > correct?
That is correct. > > I am able to get the certificate (which I guess I distribute), but > > not sure how to get the private key to sign my object file. > > The private key is in the cert db you specified when using signtool -G, > so you need to specify this db when creating the XPI file (not the one > of your XUL app). > I don't think my question was clear. This is what is going through my head : I created a self-signed certificate and put it into my ~/.ca database. I used signtool -G to create it, so I have a private key and x509.cacert. This is the output with certutil -L testcert u,u,Cu I load the x509.cacert into my ~/.xulapp database. According to the docs, it is now an object-signing CA, so I cannot sign objects using this cert. This is the output with certutil -L Common Name - Organization CT,C,C Now I need a private key from ~/.xulapp to sign my object. To the best of my knowledge, I create a certificate request and use ~/.ca to validate it. That is what I did. I then imported the file. This is the output with certutil -L Common Name - Organization CT,C,C [EMAIL PROTECTED] pu,pu,pu Which looks ok (I think), but when I try to sign a directory, I get the following (2zo52e9f.default/ would be my ~/.xulapp database) : bash-3.00$ signtool -d 2zo52e9f.default/ -k [EMAIL PROTECTED] -p test foo using certificate directory: 2zo52e9f.default/ Generating foo/META-INF/manifest.mf file.. --> bar Generating zigbert.sf file.. signtool: PROBLEM signing data (Certificate not approved for this operation) the tree "foo" was NOT SUCCESSFULLY SIGNED I realize that I can sign with ~/.ca using testcert. But I am trying to understand certificate authorities and how the process goes. Cesar _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
