Firefox 4 Doesn't Recognize New Thawte Code Signing Cert
We just got a new code signing cert from Thawte and after getting it installed, I discovered that Firefox 4 would still show "Author not verified" when installing the XPI. After doing some research, I found this bug - Turn on the code signing trust bit for the Thawte Primary Root CA. It has some information on a workaround, but it wasn't very detailed so I thought I would post it for everyone.
Here's what I did:
Per the Thawte instructions, I use on IE on Windows to manage my certs. After importing my new cert into IE, the first step was to export it. Important: When you export the PFX file do NOT check the box to include all the certificates in the certification path.
Next, I created a new cert database using: certutil -N -d .
Then I imported my cert using pk12util: pk12util -i {filename}.pfx -d
Thawte has created a new intermediate cert to work around this problem. It can be downloaded here.
You need to download it and import it into your database using this command:
certutil -t "c,c,C" -n "thawte" -A -d .< new_thawte.cer
You should now be able to sign your XPI.
One other thing I ran into was finding a version of NSS that worked properly. I ended up using this one.
Per the Thawte instructions, I use on IE on Windows to manage my certs.
Does this means that anyone running on a Mac or on Linux is left out in the cold?
I don't think so, but I know that the easiest way to get your cert into a PFX file is to use IE.
When Thawte gives you the cert, they provide is as text in the file as well, so I'm assuming you can use that.
On Linux you can use openSSL to convert the cert to any format you want (including PFX).
Hello Mike.
We just ran into the same issue with our IE browser helper object. I had to use the certmgr.msc to inport the intermediate cert before resigning our binaries and installers. This was on xp where certutil doesn't exist. Thanks for the pointers.