Firefox 4 Doesn’t Recognize New Thawte Code Signing Cert

We just got a new code signing cert from Thawte and after getting it installed, I discovered that Firefox 4 would still show “Author not verified” when installing the XPI. After doing some research, I found this bug – Turn on the code signing trust bit for the Thawte Primary Root CA. It has some information on a workaround, but it wasn’t very detailed so I thought I would post it for everyone.

Here’s what I did:

Per the Thawte instructions, I use on IE on Windows to manage my certs. After importing my new cert into IE, the first step was to export it. Important: When you export the PFX file do NOT check the box to include all the certificates in the certification path.

Next, I created a new cert database using: certutil -N -d .

Then I imported my cert using pk12util: pk12util -i {filename}.pfx -d

Thawte has created a new intermediate cert to work around this problem. It can be downloaded here.

You need to download it and import it into your database using this command:

certutil -t "c,c,C" -n "thawte" -A -d .< new_thawte.cer

You should now be able to sign your XPI.

One other thing I ran into was finding a version of NSS that worked properly. I ended up using this one.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 thoughts on “Firefox 4 Doesn’t Recognize New Thawte Code Signing Cert

    • I don’t think so, but I know that the easiest way to get your cert into a PFX file is to use IE.

      When Thawte gives you the cert, they provide is as text in the file as well, so I’m assuming you can use that.

  1. Hello Mike.
    We just ran into the same issue with our IE browser helper object. I had to use the certmgr.msc to inport the intermediate cert before resigning our binaries and installers. This was on xp where certutil doesn’t exist. Thanks for the pointers.