Confirm, administrator
5,526
edits
Changes
added first point about considering whether to be directly included or not
The overall steps of the CA certificate inclusion process are as follows.
# Carefully consider whether your CA needs to be directly included in Mozilla's root store or if it would be better for your CA to be a [[CA:SubordinateCAcerts|subordinate CA of an already-included CA]].
#* If you control all the domains that use your root certificate, then you probably do not meet the criteria for inclusion in Mozilla's root store. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products." With ALL affected domains under your control, your root certificate would not seem to create a benefit for typical Mozilla users, only for users of your services. Perhaps a better alternative would to be a [[CA:SubordinateCAcerts|subordinate CA]] of a CA who is [[CA:IncludedCAs|already included in Mozilla's root store]].
#* According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy]: "We require that all CAs whose certificates are distributed with our software product ... provide some service relevant to typical users of our software products." It is the CA's responsibility to explain why their root needs to be included in NSS and explain how the inclusion will benefit typical Mozilla users.
# A representative of the CA [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request | submits a request for root inclusion.]]
#* If you would like to see a particular root certificate included in Mozilla products, then please contact the CA who operates that root certificate.
