Hey all,
Ever since our certificate expired last week we have been unable
to sign our code with our new certificate no matter what we seem to
try. Through the GoDaddy web interface I can re-key and install the
certificates into my windows keystore. From here I export the
certificates with the following options:
- Yes, export the private key
- Export as PFX
- Include all certificates in the certification path
- Enable strong protection
After this I have mycert.pfx
I use certutil to create a fresh key database in the current
directory: certutil -N -d .
I use pk12util to import the cert into the new database: pk12util -i
mycert.pfx -d .
I use certutil to list the certs in the database: certutil -L -d .
The output shows the following certs:
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
28b61510920e6b960a2aa13c82b1423b_7ada7c85-3e68-4e1b-90e6-ca090e5c4cd0
u,u,u
Starfield Secure Certification Authority - Starfield Technologies,
Inc. ,,
As you can see the intermediate CA does not have any trust args.
If I try to sign with this I get the following error:
signtool: PROBLEM signing data (Issuer certificate is invalid)
If I go back to certutil and force trustargs using: certutil -M -d . -
n "Starfield Secure Certification Authority - Starfield Technologies,
Inc." -t "c,,c"
And then try to resign, it signs fine with signtool but when
installing into FireFox I get the following error:
-260. Signing could not be verified.
It seems like there is some issue with pk12util not properly importing
the chain of certificates but that seems unlikely.
My second attempt was to export our pfx cert WITHOUT exporting the
full chain (just our cert + key). I then downloaded Starfield Root CA
and Starfield Intermediate CA certificates from their online repo. I
created a fresh keystore database with: certutil -N -d .
I added each certificate manually:
certutil -A -n "Starfield Root CA" -t "TC,TC,TC" -d . -i "sf-class2-
root.cer"
certutil -A -n "Starfield Intermediate CA" -t "c,c,C" -d . -i
"sf_intermediate.crt"
And finally imported our cert using:
pk12util -i mycert.pfx -d .
Now looking at certutil -L -d .
Certificate Nickname Trust
Attributes
SSL,S/
MIME,JAR/XPI
Starfield Root CA CT,C,C
Starfield Intermediate CA c,c,C
28b61510920e6b960a2aa13c82b1423b_7ada7c85-3e68-4e1b-90e6-ca090e5c4cd0
u,u,u
Shows all 3 certs with proper trust args.
If I check the chain with: certutil -O -d . -n
"28b61510920e6b960a2aa13c82b1423b_7ada7c85-3e68-4e1b-90e6-
ca090e5c4cd0"
"Starfield Root CA" [OU=Starfield Class 2 Certification
Authority,O="Starfield T
echnologies, Inc.",C=US]
"Starfield Intermediate CA" [serialNumber=10688435,CN=Starfield
Secure Certifi
cation Authority,OU=http://certificates.starfieldtech.com/
repository,O="Starfiel
d Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US]
"28b61510920e6b960a2aa13c82b1423b_7ada7c85-3e68-4e1b-90e6-
ca090e5c4cd0" [CN=
Abine Inc.,O=Abine Inc.,L=Wilmington,ST=DE,C=US]
Everything looks fine.. and it signs with signtool fine as well.
I get the same error as before when trying to install into firefox:
Error -260. Signing could not be verified.
I've even tried importing all the certs into Firefox's keystore and
then copying the *.db files from my profile directory to my NSS
directory and use those to sign. Same thing.
I have read that you can get this error with improper zipping of the
final XPI but this step in our build script has not changed and it
used to work fine until our cert had to be renewed. So I do not think
its related to that.
Basically out of ideas, hopefully someone out there can provide some
insight into what is going on.
Thanks
-James
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
