Open Bug 320438 Opened 19 years ago Updated 1 year ago

certutil documentation improperly illustrates setting user trust bits

Categories

(NSS :: Documentation, defect, P3)

Product:
NSS
Component:
Documentation
Type:
defect

Tracking

(Not tracked)

People

(Reporter: tj.iam.tj, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Mnenhy/0.7.3.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Mnenhy/0.7.3.0 Whilst working out how to sign Firefox extension XPI packages I discovered that when importing a new code-signing certificate (from Unizeto Certum) into an NSS database using the trust attribute -t "u,u,u" the trusts didn't seem to be applied to the key/certificate. I had also imported the same code-signing key/certificate into Mozilla Firefox database and using certutil -L showed it had the correct attributes. I couldn't find any articles about this through searching, nor bug reports. Reproducible: Always Steps to Reproduce: 1. certutil -A -n "Code Signing (Certum)" -t "u,u,u" -d . -i "CodeSigning.cer" 2. certutil -L -d . Actual Results: C:\Projects\CodeSigning> certutil -L -d . myTestCert u,u,Cu Certum Root CA CT,C,C Certum Level I CT,C,C Code Signing (Certum) ,, Expected Results: C:\Projects\CodeSigning> certutil -L -d . myTestCert u,u,Cu Certum Root CA CT,C,C Certum Level I c,c,C Code Signing (Certum) u,u,u I've documented the circumstances and the workaround in the article I've just completed that describes how to use a code-signing certificate on Windows for XPIs. The demo URL of this report contains the link. In the article, find Step 14. Details are about 6 paragraphs in. TJ.
Nelson, Bob, Julien, could you answer this question?
Assignee: wtchang → nelson
The "u" user trust bit can no longer be set manually in current versions of NSS. NSS will automatically set that bit for you if the private key is available. In this case, you added the certificate without adding the private key, so the user bit will never be shown. You can import both the private key and the certificate at the same time with pk12util if you have a PKCS#12 file containing them. This is working as designed, so I'm closing this bug as invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
This behaviour should be added to the documentation for certutil then, because there is no indiciation of this anywhere - especially as it gives examples with the "u" attribute.
I'll turn this into a documentation bug.
Status: RESOLVED → UNCONFIRMED
Component: Tools → Documentation
OS: Windows XP → All
Hardware: PC → All
Resolution: INVALID → ---
Summary: certutil -t "u,u,u" doesn't set trust attributes → certutil documentation illustrates setting user trust bits
Assignee: nelson → wtchang
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: jason.m.reid → wtchang
Assignee: wtchang → nobody
QA Contact: wtchang → documentation
URL: http://forums.tjworld.net/viewtopic.p...http://www.mozilla.org/projects/secur...
Summary: certutil documentation illustrates setting user trust bits → certutil documentation improperly illustrates setting user trust bits
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.