Confirm, administrator
5,526
edits
Changes
updated links
The overall steps of the CA certificate inclusion process are as follows.
# Carefully consider whether your CA needs to be [[CA/Included_Certificates|directly included in Mozilla's root store ]] or if it would be better for your CA to be a [[CA:SubordinateCAcerts/Intermediate_Certificates|subordinate CA of an already-included CA]].#* If you control all the domains that use your root certificate, then you probably do not meet the criteria for inclusion in Mozilla's root store. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products." With ALL affected domains under your control, your root certificate would not seem to create a benefit for typical Mozilla users, only for users of your services. Perhaps a better alternative would is to be a [[CA:SubordinateCAcerts/Intermediate_Certificates|subordinate CA]] of a CA who is already [[CA:IncludedCAs/Included_Certificates|already included in Mozilla's root store]].
#* According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy]: "We require that all CAs whose certificates are distributed with our software product ... provide some service relevant to typical users of our software products." It is the CA's responsibility to explain why their root needs to be included in NSS and explain how the inclusion will benefit typical Mozilla users.
# A representative of the CA [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request | submits a request for root inclusion.]]
#* A representative of Mozilla adds (commits) the patch to NSS, then closes the NSS bug as RESOLVED FIXED.
# Mozilla products move to using a version of NSS which contains the certificate changes. This process is mostly under the control of the release drivers for those products. See [https://wiki.mozilla.org/RapidRelease/Calendar Mozilla's Release Calendar.]
# After inclusion of the CA's root certificate, a representative of Mozilla issues a [[CA:SalesforceCommunityCommonCADatabase|Common CA Community SalesforceDatabase (CCADB)]] license to the [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for the CA.# The CA [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|enters data into the CA Community in SalesforceCCADB]] for:#* All of the certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their root certificate(s) included in Mozilla’s CA Certificate Program Root Store that are not technically constrained as described in section 9 5.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Root Store Policy].#* [[CA:ImprovingRevocationSalesforceCommunity#Preload_Revocations_of_Intermediate_CA_CertificatesAdd_Revoked_Intermediate_Certificate_Data_to_the_CCADB|Revoked intermediate certificates]] that chain to their certificate(s) included in Mozilla's CA Certificate ProgramRoot Store.
== Ways You Can Help ==
