[EMAIL PROTECTED] wrote:
> Can I take my Verisign co-signed certificate and alter it's
> 'nsCertType' to 0xb0? Or did this need to happen to the csr *before*
> I sent it to Verisign, or (more likely) is this something Verisign had
> to do when they co-signed it?
Hell no! You cannot change an already issued certificate - if you could,
you could as well put a new public key into it, making the idea of
certification utterly pointless.
Again:
You CAN NOT and SHOULD NOT use your server certificate for object signing.
This is not a technical/extensions issue; it is fundamental security issue.
If you want to test code signing or use it in-house, you can issue your
own certs with correct types - and here Dr. Henson's FAQ will help you.
If you want global or automatically-trusted signing, you should get
a signing cert from a global CA.
Verisign's page for requesting a developer certificate is at
http://digitalid.verisign.com/developer/nos_pick.htm
And more information about object-signing certificates is at:
http://digitalid.verisign.com/developer/help/aboutdid.htm
Kaur
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
