Kaspar Brand wrote:
> How exactly did you create (and sign) the request for [EMAIL PROTECTED] By
> "validating", do you mean using "certutil -V"? If so, the problem might
> be the correct certusage ("-u" switch) - you should actually specify
> object signing, but it seems that certutil will only allow you to
> specify these five here:
>
> -u certusage Specify certificate usage:
> C SSL Client
> V SSL Server
> S Email signer
> R Email Recipient
> O OCSP status responder
The -u option only applies to certutil's -V command, which verifies a
cert chain. You're right that the absence of any way to specify a
code-signing or object-signing usage is a deficiency of certutil's -u
option. Please file a bug about this in bugzilla. Thanks.
For purposes of issuing certs (with certutil's -C or -S commands), if
one desires to issue a cert with a certain extension, such as an EKU
extension for code signing, certutil offers numeric options (e.g. -6)
for this purpose.
Of course, certutil is a test tool, for testing purposes, to enable
developers to test NSS for themselves without needing to acquire certs
from real CAs for those testing purposes (only). Creators of signed
code objects (e.g. XPIs) need to get an object signing cert from an
object signing CA known to mozilla products, and sign their XPIs with
that cert for real product distribution.
--
Nelson B
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
