CA:CommonCADatabase: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Adding PEM seciton)
(Moved content to ccadb.org)
 
(48 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{DRAFT}}
= Common CA Database (CCADB) =
= Common CA Database (CCADB) =
Historically, [https://en.wikipedia.org/wiki/Certificate_authority Certification Authorities (CAs)]have had to separately submit data to multiple, individual root store operators, resulting in inefficiency and duplication of effort. Mozilla maintains a CRM instance for communicating with CAs and managing CA data, called the Common CA Database (CCADB), which was originally referred to as the CA Community in Salesforce. Through the CCADB, our goal is to enable CAs to directly provide updates to all participating root store operators at once, and to reduce duplication of effort across the root store programs.
<br />
* A [[CA:CommonCADatabase:RootStoreOperators|'''Root Store Member''']] is any root store operator participating in the Common CA Database via the [[File:MozillaCommonCADatabaseAgreement.pdf|Mozilla Common CA Database Agreement]].
The content of this page has been moved to http://ccadb.org/
* A '''CA Member''' is any CA participating in the Common CA Database via a '''Community License'''. CA Members have read-only access to all root certificate data; are able to enter and modify data regarding intermediate certificates chaining up to their own root certificates; and are able to create Audit Cases to report their updated Audit, CP, CPS, and test website URLs each year.
<br />


= Request a license =
CA Community Licenses are granted to CAs in the root store programs of participating root store operators. '''You only need one CA Community License''' to access the CCADB data relating all participating root store programs.<br />
To request a license:
* Specific instructions for CAs in Microsoft's CA Program -- '''TO DO - ADD LINK AND OR TEXT'''
* [[CA:SalesforceCommunity|Specific instructions for CAs in Mozilla's CA Program]]
** Send email to [mailto:certificates@mozilla.org certificates@mozilla.org] with your name and the name of the CA you represent.


= Getting Started =
= Getting Started =
After you receive email with your CA Community License, you may login to the Common CA Database as follows:
<br />
# Browse to: https://mozillacacommunity.force.com/  --- '''TO DO: Update this page to say "Common CA Database" instead of "mozilla".'''
The content of this section has been moved to http://ccadb.org/cas/getting-started
# Enter your Username; the email address for which your Community User License was issued
<br />
# Enter the Password that you set up during first access
# Click on the "Log in to CA Community" button
 
Upon initial login you will see a row with six tabs:
# Home
# CA Owners/Certificates
#* Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". This will list the CA Owner and all of the root and intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record. Within the record you will see an Account Hierarchy section, where you can click on each root or intermediate certificate record to view the data.
# Contacts
#* Click on "Contacts" tab, then in "View:" select "All Contacts" and click on "Go!". Click on the Name to view the contact record.
# Cases
#* Click on "Cases" tab, then "My Cases" and click on "Go!".
# CA Communications (Page)
#* This may be used when a root store operator polls their CA members for information.
# Reports
#* Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you.
 
Important Notes:
* Each Owner/Certificate record has a "CA Owner/Certificate Name" field. For a certificate record, the value of this field is usually the Certificate '''Subject''' Common Name of the certificate. For a CA Owner record, this field displays the CA's name. (We cannot change the title of the field in the page, due to the way we are using it in the CRM.)
* Each Certificate record has a "Parent CA Owner/Certificate" field. For an intermediate certificate record the value of the field should be the Certificate '''Issuer''' Common Name. For a root certificate record the value of the field will be the name of the CA owner. (We cannot change the title of the field in the page, due to the way we are using it in the CRM.)
* CA Community Users cannot modify the records for: Owner, Root Certificate, and Contact. Only the Root Store Members can modify these records.
* CA Community Users can only modify the intermediate certificate records for their CA.
* When PEM data is provided, the certificate details in the record may not be modified.
 
= PEM Data =
[https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions PEM] data is used to enter root and intermediate certificate data into the CCADB. PEM is a container format defined in RFC's [https://tools.ietf.org/html/rfc1421 1421] through [https://tools.ietf.org/html/rfc1424 1424] that includes just the public certificate when used within the CCADB. PEM actually means Privacy Enhanced Mail, but the container format it used is a base64 translation of [https://en.wikipedia.org/wiki/X.509 X.509] [https://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One ASN.1] keys.
<br /><br />
[https://tls-observatory.services.mozilla.com/static/certsplainer.html Mozilla's TLS Observatory Certificate Explainer] may be used to get the PEM format of the certificate.
* https://tls-observatory.services.mozilla.com/static/certsplainer.html
* In the 'Post a certificate' section click on the 'Browse...' button to select a .cer, .crt, .cert, or .pem file
* Check the top of the window to make sure there are no errors listed, and that the desired certificate has been found.
* The data in the text box in the 'Post a certificate' section is the PEM.
* Copy and past the entire PEM blob, which starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----"


= Updating Audit Information =
= Updating Audit Information =
All Root Store Members require their CAs to provide updated statements annually of attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties, as outlined in the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] and as outlined in each root store operator's policies.
<br />
 
The content of this section has been moved to http://ccadb.org/cas/updates
Enter updated Audit Information into the CCADB:
<br />
# '''TO DO'''
#
#

Latest revision as of 22:49, 8 June 2017

Common CA Database (CCADB)


The content of this page has been moved to http://ccadb.org/


Getting Started


The content of this section has been moved to http://ccadb.org/cas/getting-started

Updating Audit Information


The content of this section has been moved to http://ccadb.org/cas/updates

Retrieved from "https://wiki.mozilla.org/index.php?title=CA:CommonCADatabase&oldid=1173030"