On 06/23/2010 04:11 AM, xxxxx@hotmail.com wrote:
/ac c:\opt\thawte-roots\MSCV-GlobalSign.cer
[…]
Signtool Error: The provided cross certificate would not be present
in the certificate chain.
Of course not: It is not referenced for anything!
Explanation:
To verify a PK signature, you need an unbroken “signature path” from the
bottom to the top (root) CA.
Let’s see what you have got:
(1) Your company -> Thawte Code Signing CA
Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA
(2) Thawte Code Signing CA -> Thawte Premium Server CA
Issued to: Thawte Code Signing CA
Issued by: Thawte Premium Server CA
(You also have a self-certificate of Thawte Premium Server CA, but this
is not relevant to our discussion.)
What you would need now is this:
(3) Thawte Premium Server CA -> Microsoft Code Certification Root
Issued to: Thawte Premium Server CA
Issued by: Microsoft Code Certification Root
But what you have got in MSCV-GlobalSign.cer is:
(x) GlobalSign Code Signing CA -> Microsoft Code Certification Root
(See this page for a picture with a complete chain:
https://globalsign.com/support/code-signing/codesign_vista64.php)
Of course you can’t use a GlobalSign->Microsoft cross-certificate to
cross-certify some other CA (Thawte) with it.
If you want to make a kernel driver that runs at boot time - using your
Thawte code-signing certificate - you need a cross-certificate linking
Thawte CA to the MS Code Signing Root.
If Microsoft does not provide one, you are out of luck.
Another CA (e.g. GlobalSign) could make a cross-certificate for Thawte
to complete the chain. So if e.g. CA “A” takes over CA “B”, then CA “A”
could provide a cross-certificate for “B”. Theoretically.