Changes

If a CA controls all the domains that use their root certificate, then they probably do not meet the criteria for inclusion in Mozilla's root store. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products." With ALL affected domains under your control, your root certificate would not seem to create a benefit for typical Mozilla users, only for users of your services. Perhaps a better alternative is to be a [[CA/Intermediate_Certificates|subordinate CA]] of a CA who is already [[CA/Included_Certificates|included in Mozilla's root store]]. According to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy]: "We require that all CAs whose certificates are distributed with our software product ... provide some service relevant to typical users of our software products." It is the CA's responsibility to explain justify why their root certificate needs to be included in NSS Mozilla's root store and explain how the inclusion will benefit typical Mozilla users.