3.6.16 can chain Verisign code signing intermediate certificate ("2010 CA") in an xpi file even though it is not installed int its cert store, but 4.0 does not. Why does 4.0 not chain this cert?
Certs that are in FF 4.0 on the signing workstation using Key Manager (I imported the "2010 CA"cert):
Company cert
VeriSign Class 3 Code Signing 2010 CA 52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
VeriSign Class 3 Public Primary Certification Authority - G5 25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
Verisign Class 3 Public Primary Certification Authority 70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf
Certs that are in FF 4.0 on the signing workstation using Key Manager (I imported the "2010 CA"cert):
Company cert
VeriSign Class 3 Code Signing 2010 CA
52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
VeriSign Class 3 Public Primary Certification Authority - G5
25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
Verisign Class 3 Public Primary Certification Authority
70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf
Toate răspunsurile (1)
Turns out that Key Manager is apparently not compatible with 4.0. I uninstalled 4.0 from the signing workstation, installed 3.6.x and Key Manager again, then signings contained the chain for the client running either 3.6 or 4.0.