Changes

CA/Required or Recommended Practices

22 bytes removed, 23:54, 21 October 2022

m

→‎OCSP: Updated to change outdated language

# The OCSP URI must be provided in end entity certificates. (BR section 7.1.2.3.c.)

# OCSP Responders SHALL NOT respond “Good” for Unissued Certificates. (BR section 4.9.10)

~~# OCSP Responses shall be updated at least every four days and have a maximum expiration time of ten days (additional OCSP requirements may be found in BR section 4.9.10)~~

# CAs MUST NOT issue OCSP responder certificates using SHA-1 (BR section 7.1.3.2.1)

# OCSP responses MUST conform to RFC6960 and/or RFC5019. (BR section 4.9.9)

Please refer to section 4.9.10 of the [https://cabforum.org/baseline-requirements-documents/ Baseline Requirements] for additional OCSP requirements.

You MUST test your OCSP service in Firefox! We expect OCSP responders to function without error in Mozilla products. To test in Firefox:

* Go to Firefox -> ~~Options...~~ Settings -> Privacy & Security -> Certificates

* Check the box for "Query OCSP responder servers to confirm the current validity of certificates"

* You may need to clear your history cache

Bwilson

Confirm

344

edits

Changes

CA/Required or Recommended Practices

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools