This page is for Certificate Authorities (CAs) who request to have a root certificate enabled for Extended Validation (EV) treatment (the "green identity" bar showing country code and company names).

However, this page is unrelated to the organizational process of obtaining permission to be added. If you haven't yet applied for inclusion, start with the Mozilla CA Certificate Policy.

This page is a technical page related to testing, only. It explains how you can test that your CA certificate and your OCSP infrastructure is working correctly according to the expectations of Mozilla, Firefox, the NSS library, and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)

You (the CA) are requested to perform tests on your own, and only after you got positive test results you should proceed to request the technical addition.

Overview

• You will use a special test version of Firefox that has been modified to allow for easier EV testing
• You will set an environment variable that is effective when you execute Firefox
• You will import your own CA certificate into the test browser
• You will find a directory on your system that contains the test browser's configuration files
• You will prepare a special configuration file that instructs the browser to treat your issued certificates as EV verified
• You will prepare a test server that uses a matching certificate and sends all required intermediate certificates
• You will make sure that your OCSP server is configured correctly, in particular, the signing certificate used by your OCSP server is conforming to specifications
• You will test the above until you get a successful test result.
• If you need help with the above, you will pay an IT person to help you.

Details

Test version

You can download the test version for various operating systems from #### You must understand how to download, extract and run this experimental browser.

Environment variable

You must set the following environment variable. It must be effective when the browser software runs:

ENABLE_TEST_EV_ROOTS_FILE=1 

Import your root CA

You should be able to use the browser's menus and preferences to find the certificate manager, import it as a new Certificate Authority, and set the necessary trust flags (include trust for web sites).

Profile / Configuration directory

You will use public Internet resources to learn about the location of Firefox configuration files on your test computer. (e.g. on a GNU/Linux system this might be in /home/$USER/.mozilla/firefox/*default )

Enable your root for EV

Inside the directory you have identified in the previous step, you will create a new ASCII test file, with filename test_ev_roots.txt You will create appropriate lines that will enable your root certificate for EV. Technical information can be found in page PSM:EV_Testing

The tricky technical part is producing an ASCII-encoded representation of the DER encoding of your certificate issuer name and its serial number.

We are willing to help you produce those technical representation. If you have started the formal process to request being added to the Mozilla root store, and have attached your root to a bugzilla bug, you may ask us to produce it for you.