PSM:EV Testing Easy Version: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
m (added note that the tool can be run locally for debugging)
 
(75 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This page is for Certificate Authorities (CAs) who request to have a root certificate enabled for Extended Validation (EV) treatment (the "green identity" bar showing country code and company names).
This page is for [[CA:FAQ#What_are_CAs.3F | Certificate Authorities (CAs)]] who request to have a root certificate enabled for [https://cabforum.org/extended-validation Extended Validation (EV) treatment], and need to test that their CA hierarchy is ready for EV treatment.


However, this page is unrelated to the organizational process of obtaining permission to be added. If you haven't yet applied for inclusion, start with the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy] and the [[CA:How_to_apply | How to Apply]] guidelines.
Before requesting EV treatment, CAs should understand how [[CA/EV_Processing_for_CAs | Firefox processes EV certificates]] and ensure that they are using the CA/Browser Forum EV OID (2.23.140.1.1), which Mozilla requires.


This page is a technical page related to testing, only.
To request that your root certificate be included in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] and [https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp enabled for EV treatment], see [[CA/Application_Process|Mozilla's application process]].
It explains how you can test that your CA certificate and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)


You (the CA) are requested to perform tests on your own, and only after you got positive test results you should proceed to request the technical addition.
This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)


= Overview =
= EV-Readiness Check =
To test your CA hierarchy to see if it is ready to request EV treatment:
# Browse to
#* [https://github.com/mozilla/CCADB-Tools/tree/master/evReadiness NEW]: https://evready-dot-ccadb-231121.appspot.com/evready
#* [https://github.com/mozilla/tls-observatory OLD]: https://tls-observatory.services.mozilla.com/static/ev-checker.html
# Enter the URL to the test website for the EV certificate
#* Example: https://observatory.mozilla.org
# Enter the EV Policy OID
#* Example: 2.23.140.1.1
# Enter the PEM data for the root certificate, or use the "Browse..." button to select the PEM file for the root certificate (ending of file may be .pem or .cert)
#* Begin with: -----BEGIN CERTIFICATE-----
#* End with: -----END CERTIFICATE-----
#* [https://crt.sh/?d=853428 Example PEM Data] - open with a plain text editor like TextEdit
#* [http://ccadb.org/cas/fields#pem-data Help with getting PEM]
# Click on "Submit"


* You will use a special test version of Firefox that has been modified to allow for easier EV testing
== Success ==
* You will set an environment variable that is effective when you execute Firefox
A successful result says: "Status: Success!"
* You will import your own CA certificate into the test browser
Any other text indicates a failure.
* You will find a directory on your system that contains the test browser's configuration files
* You will prepare a special configuration file that instructs the browser to treat your issued certificates as EV verified
* You will prepare a test server that uses a matching certificate and sends all required intermediate certificates
* You will make sure that your OCSP server is configured correctly, in particular, the signing certificate used by your OCSP server is conforming to specifications
* You will test the above until you get a successful test result.
* If you need help with the above, you may pay an IT person to help you.


= Details =
== Test Failure? ==


== Test version ==
The purpose of this test is to make sure you have set up EV according to the [https://www.cabforum.org/documents.html EV Guidelines], so make sure you have not taken short-cuts like issuing the test cert directly from the root.
You can download the test version for various operating systems from https://kuix.de/mozilla/browser-ca-ev-testing/. After downloading, extract and run this experimental browser. The application file is called "Minefield", and when you start this experimental browser it should say "Minefield" as the leftmost pull-down menu (instead of Firefox).
* If you get ''Error: Could not initiate scan'', then wait for 3 minutes before trying again.
* If you get ''SEC_ERROR_BAD_DATA'', then the program does not like the format of the data you entered. For instance, if you have extra spaces or characters before or after the TLS Server URL, EV Policy OID, or in the Root Certificate PEM.
* The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test.
* OCSP must work without error for the intermediate certificates.
* The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID.
** SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension
** SEC_ERROR_EXTENSION_NOT_FOUND may mean that the certificate being sent by the server doesn't contain the specified policy OID.
* If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access.
* Still failing?  Try testing with https://certificate.revocationcheck.com/ because frequently resolving the errors listed on that page will resolve problems with EV testing.


== Environment variable ==
== About the Testing Tool ==
You must set the following environment variable. It must be effective when the browser software runs:
The code for the Testing Tool is here: https://github.com/mozilla/CCADB-Tools/tree/master/evReady


ENABLE_TEST_EV_ROOTS_FILE=1
The Testing Tool...
 
* Can be run on your local computer for debugging, see https://github.com/mozilla/CCADB-Tools/blob/master/evReady/README.md
== Import your root CA ==
* Runs a program on a remote computer rather than the user's browser, so it should work with any browser/version.  
You should be able to use the browser's menus and preferences to find the certificate manager, import it as a new Certificate Authority, and set the necessary trust flags (include trust for web sites).
* Does not interact with the user's profile, so the user does not need to import the root certificate in order to run the tool. The web server must serve up the intermediate cert(s) along with the end-entity cert.
 
== Profile / Configuration directory ==
You will use public Internet resources to learn about the location of Firefox configuration files on your test computer.
(e.g. on a GNU/Linux system this might be in /home/$USER/.mozilla/firefox/*default, on Mac OS X ~/Library/Application Support/Firefox/Profiles/*.default)
The directory contains files named bookmarks.html and prefs.js, this information might help you in locating the correct directory.
 
== Enable your root for EV ==
Inside the directory you have identified in the previous step, you will create a new ASCII test file, with filename '''test_ev_roots.txt'''
You will create appropriate lines that will enable your root certificate for EV.
Technical information can be found in page [[PSM:EV_Testing]]
 
The tricky technical part is producing an ASCII-encoded representation of the DER encoding of your certificate issuer name and its serial number.
 
We are willing to help you produce those technical representation.
If you have started the formal process to request being added to the Mozilla root store, and have attached your root to a bugzilla bug, you may ask us to produce it for you.
 
== Testing ==
Once you have the above preparation steps done, use the browser to open the web page of your test server.
If you have done everything correctly, and your OCSP infrastructure meets the expectations, you will see the green EV identity bar.
 
Once you can report success with your experiments, a Mozilla engineer will repeat your testing in order to confirm your results.
 
=== Not Getting EV Treatment? ===
 
* OCSP must work without error for the intermediate certificates. A failed OCSP response will result in EV treatment not being given. For more information see: https://wiki.mozilla.org/CA:EV_Revocation_Checking#Requirements
* All of the characters have to be capitalized in the SHA1 Fingerprint in the test_ev_roots.txt file.

Latest revision as of 16:53, 9 November 2023

This page is for Certificate Authorities (CAs) who request to have a root certificate enabled for Extended Validation (EV) treatment, and need to test that their CA hierarchy is ready for EV treatment.

Before requesting EV treatment, CAs should understand how Firefox processes EV certificates and ensure that they are using the CA/Browser Forum EV OID (2.23.140.1.1), which Mozilla requires.

To request that your root certificate be included in NSS and enabled for EV treatment, see Mozilla's application process.

This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)

EV-Readiness Check

To test your CA hierarchy to see if it is ready to request EV treatment:

  1. Browse to
  2. Enter the URL to the test website for the EV certificate
  3. Enter the EV Policy OID
    • Example: 2.23.140.1.1
  4. Enter the PEM data for the root certificate, or use the "Browse..." button to select the PEM file for the root certificate (ending of file may be .pem or .cert)
  5. Click on "Submit"

Success

A successful result says: "Status: Success!" Any other text indicates a failure.

Test Failure?

The purpose of this test is to make sure you have set up EV according to the EV Guidelines, so make sure you have not taken short-cuts like issuing the test cert directly from the root.

  • If you get Error: Could not initiate scan, then wait for 3 minutes before trying again.
  • If you get SEC_ERROR_BAD_DATA, then the program does not like the format of the data you entered. For instance, if you have extra spaces or characters before or after the TLS Server URL, EV Policy OID, or in the Root Certificate PEM.
  • The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test.
  • OCSP must work without error for the intermediate certificates.
  • The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID.
    • SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension
    • SEC_ERROR_EXTENSION_NOT_FOUND may mean that the certificate being sent by the server doesn't contain the specified policy OID.
  • If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access.
  • Still failing? Try testing with https://certificate.revocationcheck.com/ because frequently resolving the errors listed on that page will resolve problems with EV testing.

About the Testing Tool

The code for the Testing Tool is here: https://github.com/mozilla/CCADB-Tools/tree/master/evReady

The Testing Tool...

  • Can be run on your local computer for debugging, see https://github.com/mozilla/CCADB-Tools/blob/master/evReady/README.md
  • Runs a program on a remote computer rather than the user's browser, so it should work with any browser/version.
  • Does not interact with the user's profile, so the user does not need to import the root certificate in order to run the tool. The web server must serve up the intermediate cert(s) along with the end-entity cert.
Retrieved from "https://wiki.mozilla.org/index.php?title=PSM:EV_Testing_Easy_Version&oldid=1248901"