7 Replies Latest reply on Feb 11, 2010 5:48 PM by tzeng

    Thawte Certificate (present from Adobe) fails

    Fabrice3D Level 1

      Got a few weeks ago a free certificate from Adobe (thx)

      but AIR refuses it. I do have tried to export it to all known to mankind, certifcate formats, tried both export from FF, the browser used

      for the Thawte procedure, and on my mac the keychain export... Thawte says its an AIR issue and runned few checks and proved its a valid one.

       

      AIR simply refuses it.

       

      The default p12 and all others I've generated are accepted. But not the official one...

       

      Do I need to do something extra compared to default certificates?

       

      Fabrice

        • 1. Re: Thawte Certificate (present from Adobe) fails
          tzeng Adobe Employee

          I am not sure what you mean by default one.

          Do you get the Thawte Certificate from Thawte?

           

          You might not have the whole certificate chain in your p12 file. If you use to ADT to package your AIR file with the Thawte cert, ADT should give you

          a clear error message.

           

          -ted

          • 2. Re: Thawte Certificate (present from Adobe) fails
            Fabrice3D Level 1

            oh yes the certificate is just fine, spend like a week every eves with Thawte to find out if there was an issue on their side.

            I've even done the procedure twice monitored by the Thawte tech guys.

            After they've double checked everything, they came to conclusion there might be an issue with AIR.

             

            By default one I mean the p12 you can generate from CS4 that you save and use to compile.

            This one works just fine.

             

            The Thawte certificat gives a "could not sign the AIR file" alert.

             

            Fabrice

            • 3. Re: Thawte Certificate (present from Adobe) fails
              tzeng Adobe Employee

              On your Mac, could you open a terminal and execute the following command:

               

              keytool -list -v -storetype pkcs12 -storepass password_for_your_p12_file  -keystore filepath_to_p12

              where password_for_your_p12_file is the password for your certificate.

               

              In the output, find the line:
              Certificate chain length: x
              Where x should be more than 1. I think it is 3 for Thawte.
              If x=1, then you don’t have the whole certificate chain in your p12 file then.

               

              AIR needs to have a p12 certificate with full certificate chain to package an AIR file.

              • 5. Re: Thawte Certificate (present from Adobe) fails
                tzeng Adobe Employee

                I just found out you are on a Mac. Could you run the command in my post above?


                • 6. Re: Thawte Certificate (present from Adobe) fails
                  Fabrice3D Level 1

                  how do I do that? Did not get previous mail, trying now

                   

                  get

                   

                   

                   

                  Picked up JAVA_TOOL_OPTIONS: -Xmx1024m

                   

                  Keystore type: PKCS12

                  Keystore provider: SunJSSE

                   

                  Your keystore contains 1 entry

                   

                  Alias name: myid stuff

                  Creation date: Feb 11, 2010

                  Entry type: PrivateKeyEntry

                  Certificate chain length: 1

                  Certificate[1]:

                  Owner: CN= myid stuff

                  Issuer: CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

                  Serial number: 519ad576670d16f769840de6e82e4759f

                  Valid from: Mon Nov 16 01:00:00 CET 2009 until: Wed Nov 17 00:59:59 CET 2010

                  Certificate fingerprints:

                  MD5:  EE:1D:FC:3C:08:37:88:D1:2D:9B:D7:13:EF:22:46:10

                  SHA1: 6F:FB:97:B3:4E:5C:0B:CF:D6:6A:5D:B3:1E:75:CB:D4:97:7E:BE:4F

                  Signature algorithm name: SHA1withRSA

                  Version: 3

                   

                  Extensions:

                   

                  #1: ObjectId: 2.5.29.19 Criticality=true

                  BasicConstraints:[

                    CA:false

                    PathLen: undefined

                  ]

                   

                  #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

                  AuthorityInfoAccess [

                    [accessMethod: 1.3.6.1.5.5.7.48.1

                     accessLocation: URIName: http://ocsp.thawte.com]

                  ]

                   

                  #3: ObjectId: 2.5.29.4 Criticality=false

                   

                  #4: ObjectId: 2.5.29.31 Criticality=false

                  CRLDistributionPoints [

                    [DistributionPoint:

                       [URIName: http://crl.thawte.com/ThawteCodeSigningCA.crl]

                  ]]

                   

                  #5: ObjectId: 2.5.29.37 Criticality=false

                  ExtendedKeyUsages [

                    codeSigning

                    1.3.6.1.4.1.311.2.1.22

                  ]

                   

                  #6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false

                  NetscapeCertType [

                     Object Signing

                  ]

                   

                  x = 1, so means its wrong? how do i get the "3". does this means I need go back to Thawte?

                  • 7. Re: Thawte Certificate (present from Adobe) fails
                    tzeng Adobe Employee

                    Your certificate is fine. But you need to have

                    Thawte Code Signing CA

                    certificate. This is an intermediate CA I believe and you might try to download it from

                    https://www.thawte.com/roots/index.html

                    or you can ask Thawte directly  for it.

                     

                    Once you get this CA, you can install it to Firefox and then export your certificate again.

                    Then run the same command on the p12 file to see if the cert chain is more than 1.

                     

                     

                    -ted