This page is for Certificate Authorities (CAs) who request to have a root certificate enabled for Extended Validation (EV) treatment (the "green identity" bar showing country code and company names).

However, this page is unrelated to the organizational process of obtaining permission to be added. If you haven't yet applied for inclusion, start with the Mozilla CA Certificate Policy.

This page is a technical page related to testing, only. It explains how you can test that your CA certificate and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)

You (the CA) are requested to perform tests on your own, and only after you got positive test results you should proceed to request the technical addition.

Overview

• You will use a special test version of Firefox that has been modified to allow for easier EV testing
• You will set an environment variable that is effective when you execute Firefox
• You will import your own CA certificate into the test browser
• You will find a directory on your system that contains the test browser's configuration files
• You will prepare a special configuration file that instructs the browser to treat your issued certificates as EV verified
• You will prepare a test server that uses a matching certificate and sends all required intermediate certificates
• You will make sure that your OCSP server is configured correctly, in particular, the signing certificate used by your OCSP server is conforming to specifications
• You will test the above until you get a successful test result.
• If you need help with the above, you will pay an IT person to help you.