Mozilla's CA Certificate Program

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the CA Certificates Module; the policy itself is overseen by the module owner and peers of the CA Certificate Policy Module. Here are a few blog posts that describe the Mozilla CA Certificate Program in further detail:

• Why Does Mozilla Maintain a Root Store?
• How to use Mozilla's Root Store properly

Policy

• Root Store Policy (current stable version: 3.0)

• Root Store Policy Archive
  • Blog Posts Regarding Policy Updates (MRSP v.3.0, MRSP v.2.9, MRSP v.2.8, MRSP v.2.7.1, 398-day validity periods, MRSP v.2.7, MRSP v.2.6, MRSP v.2.5, MRSP v.2.4, MRSP v.2.2)

• CA Communications and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
  • Blog Posts Regarding CA Communications (May 2020, Jan. 2020, Sept. 2018, Nov. 2017, Mar. 2016, May 2015)

• Process for updating the Root Store Policy
  • Root Store Policy Issue Tracker
  • Issues for next version (3.1) of Root Store Policy (will become the next version)

Lists of CAs and Certificates

• Data Usage Terms
• Included CAs (in the Root Program and in Firefox)
• Included CA Certificates
• Intermediate Certificates
  • Improving the Quality of Publicly Trusted Intermediate CA Certificates with Enhanced Oversight and Automation
  • Preloading Intermediate CA Certificates into Firefox
• Removed CA Certificates
• NSS Release Versions - shows in which version of Mozilla products each root certificate was first available
• Additional Trust Policies - describes trust policies enforced by PSM in Firefox and Thunderbird, but not represented in the NSS root store.

Program Administration

Most information relating to the administration of our program is stored either in Bugzilla or in the Common CA Database.

• Bugzilla Bug Triage Process - also lists whiteboard tags
• Certificate Change Request Dashboard - tracks applications and trust changes through the process in Bugzilla
• Certificate Change Requests as tracked in the CCADB
• Incident and Compliance Dashboard
• CA Issues Lists
• Dashboard of CCADB Enhancement Requests
  • Email Templates used by CCADB

crt.sh

• Disclosure status of all certificates known to CT
• Problematic certificates issued in the past week known to CT
• Test Websites for Roots enabled with Mozilla's websites trust bit
• Mozilla's OneCRL

Information for Auditors

• CCADB information for Auditors
• Audit Statement Requirements
• Audit Letter Validation in CCADB
• Auditor Qualifications
• Auditor Compliance Dashboard
• Guidance on doing Baseline Requirements audits
• Transition guidance for auditing to the S/MIME BRs
• Mistakes we have seen auditors make and their consequences

Information for CAs

• CCADB Login
• List of CAA Identifiers (used to restrict issuance of certificates to specific CAs via a DNS Certification Authority Authorization Resource Record)

Compliance

• Forbidden or Problematic CA Practices
• Required or Recommended CA Practices
• Maintenance and Enforcement
• Responding to an Incident (such as a misissuance)
• Lessons Learned - common compliance issues and proactive measures to prevent them
• Disclosing a Vulnerability or Security Incident

Root Inclusion

• Prioritization Criteria for Processing Root Inclusion Requests
• Application Process for Mozilla's Root Program
  • CA Information Checklist
  • Quantifying Value: Information Expected of New Applicants
  • Compliance Self Assessment
    • Previous reviews of CP/CPS documents

• Subordinate CA Information Checklist
• Approval Process for Externally Operated Subordinate CAs
• Root Inclusion Considerations -- This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.

Root Removal and Other Root Changes

• Change or Remove an Included Root Certificate
• Root CA Lifecycles

Revocation

• Revocation Reasons for TLS Server Certificates
  • Revocation Reasons Blog Post
• Delayed Revocation Incidents
• Guidance for Complying with MRSP 6.1.3 - Mass Revocation Planning

How Firefox Works

• How Firefox Performs Certificate Verification and path construction
• How Firefox Processes EV Certificates
• How Firefox Performs Revocation Checking

Tools to Check Certificates

• SSL Labs Server Quality Checker
• Mozilla SSL Server Quality Checker
• EV Readiness Test
• Certificate Viewer -- can also be installed/run locally (see ReadMe)
• Certificate Revocation Checker (also checks CRL and OCSP server quality and compliance)
  • Explanation of errors encountered during certificate testing

Certificate Linters

• PKI Meta-Linter Access multiple linters via a single REST API call
• PKI Lint Tool for TLS & S/MIME - GitHub
• BR Lint Certificate Test - GitHub
• ZLint - Certificate Test of Mozilla's and others' requirements - GitHub
• X.509 Lint Certificate Test - GitHub

Information for the Public

• Glossary of CA and Certificate Terminology
• Why Does Mozilla Maintain Our Own Root Certificate Store?
• What is the Common CA Database (CCADB)?
• FAQ About Certificates and CAs
• List of CA problem reporting mechanisms (email, etc.) (use this to report a certificate problem directly to the CA)
• Report an Incident to Mozilla (be sure to click the "Security" checkbox if it is a security-sensitive incident)

Configuring Firefox

• How to install your own root certificate in Firefox
  • Manually import a root certificate into Firefox
• Changing Certificate Trust Settings in Firefox

Discussion Forums

The following public forums are relevant to CA evaluation and related issues.

CCADB

• [https://groups.google.com/a/ccadb.org/g/public CCADB Public mailing list is used to conduct a six-week public discussion of CA root inclusion requests and to discuss important lessons learned from CA incident reports. See https://www.ccadb.org/cas/public-group for more information.

MDSP

• Mozilla's dev-security-policy (MDSP) mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.

Other MDSP Mail Archives

• New MDSP Messages (since August 2021)

(HTML): https://www.mail-archive.com/dev-security-policy@mozilla.org/

(RSS): https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml

• Old MDSP Messages (until April 2021)

(HTML): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/

(RSS): https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/maillist.xml

Other Forums

• Mozilla's dev-tech-crypto mailing list is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox.
• For other discussions of Mozilla security issues:
  • Mozilla's Security Web forum is a place to discuss information security work in the open source space, where Mozilla is empowering users to build and curate a Healthy Internet.
  • Mozilla's privacy-and-security forum is a place to discuss issues and questions specific to privacy and security.
  • chat on Matrix may also be used