> > Now I need a private key from ~/.xulapp to sign my object. To the best
> > of my knowledge, I create a certificate request and use ~/.ca to
> > validate it. That is what I did. I then imported the file. This is the
> > output with certutil -L
> > Common Name - Organization CT,C,C
> > [EMAIL PROTECTED] pu,pu,pu
>
> How exactly did you create (and sign) the request for [EMAIL PROTECTED] By
> "validating", do you mean using "certutil -V"? If so, the problem might
> be the correct certusage ("-u" switch) - you should actually specify
> object signing, but it seems that certutil will only allow you to
> specify these five here:
>
> -u certusage Specify certificate usage:
> C SSL Client
> V SSL Server
> S Email signer
> R Email Recipient
> O OCSP status responder
I created the certificate request using certutil (from what I
remember) :
certutil -R -s "CN=t, O=req, L=req, ST=req, C=RE" -p "555-555-5555" -o
mycert.req -d ~/.xulapp
I then signed the request using certutil as well :
certutil -C -m 1234 -i mycert.req -o mycert.crt -c testcert -d ~/.ca
When I say I validated, I chose my words incorrectly. What I meant to
say was that I was able to add the certificate that I signed into the
~/.xulapp database.
> > Which looks ok (I think), but when I try to sign a directory, I get
> > the following (2zo52e9f.default/ would be my ~/.xulapp database) :
> > bash-3.00$ signtool -d 2zo52e9f.default/ -k [EMAIL PROTECTED] -p test foo
> > using certificate directory: 2zo52e9f.default/
> > Generating foo/META-INF/manifest.mf file..
> > --> bar
> > Generating zigbert.sf file..
> > signtool: PROBLEM signing data (Certificate not approved for this
> > operation)
>
> What does "certutil -L -d 2zo52e9f.default -n [EMAIL PROTECTED]" give as
> output? If the certificate doesn't include an appropriate
> netscape-cert-type or extended key usage extension (which permits object
> signing), then you can't use it to sign code.
This is the output :
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1234 (0x4d2)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer:
"CN=Common
Name,O=Organization,OU=Unit,ST=Province,C=CA,UID=test,
[EMAIL PROTECTED]"
Validity:
Not Before: Fri Jun 22 14:09:57 2007
Not After : Sat Sep 22 14:09:57 2007
Subject:
"CN=req,O=req,L=req,ST=req,C=RE"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
9a:4a:3d:d8:da:58:92:bd:6c:5a:c9:a9:a2:82:77:c7:
10:0d:1a:77:36:83:ff:db:bd:26:20:aa:c3:fc:68:32:
c5:e7:01:c2:6c:46:9f:bd:d1:01:d6:eb:db:06:99:85:
ef:7a:0f:7b:8d:80:18:18:fa:39:25:64:cf:6e:aa:70:
48:3e:42:0e:82:fc:e9:a8:13:53:97:a2:b7:1c:89:7a:
c5:ab:06:57:3f:ef:ad:4c:ce:ff:27:69:55:b0:6c:f0:
62:3a:0f:89:f3:7a:dc:29:47:e0:07:71:06:0f:ff:9d:
1e:da:08:a3:c4:ae:e5:cc:2e:6a:92:34:ae:df:10:ed
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
b9:25:37:09:dc:a4:a1:21:f1:29:ae:76:0c:de:10:74:
7f:23:dd:06:af:ab:39:fe:34:09:7e:46:07:65:22:de:
84:bb:73:52:31:0f:ce:62:33:2d:73:43:97:12:4f:ce:
08:9f:de:a8:be:23:9c:1d:ec:fe:4b:58:58:aa:30:d0:
cd:c5:2b:ad:89:b9:b3:fc:f9:ea:7e:83:b3:b3:44:ac:
13:69:d0:33:95:c1:32:31:0d:82:be:c3:99:32:4b:7d:
a6:fb:80:20:39:ff:ca:e7:38:2f:d7:dc:2b:06:a5:21:
74:eb:72:cf:e3:af:f6:1f:3e:bb:6d:d3:af:6d:99:5f
Fingerprint (MD5):
E9:F9:1A:8D:C8:89:A9:24:BC:55:1E:0B:0C:AE:75:7A
Fingerprint (SHA1):
60:36:4F:74:17:7C:63:7E:AC:68:07:F4:20:18:3E:F7:85:F8:DE:AC
Certificate Trust Flags:
SSL Flags:
Valid Peer
User
Email Flags:
Valid Peer
User
Object Signing Flags:
Valid Peer
User
So this seems to be the certificate that I can give out to people. It
seems to be signed by the CA. But then how do I go about signing
something without have to use testcert in the ~/.ca database?
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
