CA:CommonCADatabase: Difference between revisions
Jump to navigation
Jump to search
m (Removed DRAFT heading) |
(Added Audit Case instructions) |
||
| Line 51: | Line 51: | ||
All Root Store Members require their CAs to provide updated statements annually of attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties, as outlined in the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] and as outlined in each root store operator's policies. | All Root Store Members require their CAs to provide updated statements annually of attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties, as outlined in the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] and as outlined in each root store operator's policies. | ||
Enter | == How To Provide Annual Updates == | ||
# ''' | Instructions for CAs to provide their annual updates via the [[CA:SalesforceCommunity#Common_CA_Database|Common CA Database (CCADB)]]: | ||
# | # [[CA:SalesforceCommunity#Login_to_Common_CA_Database|Login to the CCADB.]] | ||
# | # [[CA:SalesforceCommunity#Navigate_the_Common_CA_Database|Navigate to the CA Owner Record for your CA.]] | ||
# Scroll down to the 'Cases' section and click on the 'New Case' button. | |||
# Click on the 'Record Type of new record' field and select "CA Audit Update Request". | |||
# Click on the 'Continue' button. This will begin a new '''Audit Case'''. | |||
# In the new '''Audit Case''', the 'Subject' will be automatically filled in when you click on the 'Save' button, so leave it blank to begin with. | |||
# Enter the audit and CP/CPS information, then click on the 'Save' button. You may click on 'Edit' and 'Save' as many times as you need to get all of your information entered. | |||
#* '''Important:''' The audit statement links must point to pdf files that are smaller than 25MB. | |||
#* '''Important:''' The audit statement links must change each year, so that the audit archiving will pick up the new version of the files. | |||
#* [[CA:SalesforceCommunity#Audit_Information|Explanation of Audit Information fields]] | |||
#* [[CA:SalesforceCommunity#Policies_and_Practices_Information|Explanation of CP/CPS Information fields]] | |||
# After you have provided the audit and CP/CPS information, you will need to tell us which root certificates are covered by these audits... | |||
# In the '''Audit Case''' page, scroll down to the 'Root Cases' section, and click on the 'Add Root Cert For This Audit Info' button. This will start a new ''Root Case''. | |||
# In the ''Root Case'' page, click on the search icon next to the 'Included Certificate' field. | |||
# Type in the first two characters of the root certificate name for a root certificate in the provided audit statements, followed by "*", then click on the 'Go!' button. You will only be able to find root certificate records that chain up to your CA Owner record. | |||
# In the 'Select all that apply to the included Root' section, click on the appropriate boxes to show which audit statements cover the selected root certificate. | |||
# Click on the 'Save' button. | |||
# If the Websites trust bit is enabled for this root certificate, then you need to also provide the URLs to the test websites... | |||
#* Click on the 'Edit' button | |||
#* Enter the URLs to the test websites | |||
#* Click on the 'Save' button | |||
#* You may click on the 'Edit' and 'Save' buttons as many times as you need to get the necessary information filled in. | |||
# Click on the 'Case No' to go back to the main '''Audit Case''' page. | |||
# Click on the 'Add Root Cert For This Audit Info' button and repeat the above steps to add as many ''Root Cases'' as needed, corresponding to the root certificates that are covered in the audit statements. | |||
Helpful Hints: | |||
* Before starting this process, it may be helpful to open another window showing your CA's Account Hierarchy, so you can easily see which root certificates need to be accounted for (i.e. in the audit statements). Navigate to your CA Owner record or any of your root or intermediate cert records, go to the 'Account Hierarchy' section, and right-click on any of the record names and 'Open Link in New Window'. | |||
* In the ''Root Case'' page, when you click on the search icon next to the 'Included Certificate' field, the default list will be the records that you recently viewed. | |||
== What Happens Next? == | |||
After you create the '''Audit Case''' and corresponding ''Root Cases'', a [[CA:CommonCADatabase:RootStoreOperators|root store operator]] will review and verify the information. Here's what they will look for: | |||
* Audit statement links point to pdf files, and are new links (so audit archiving will pick up the new audits) | |||
* If audit statement is not on the webtrust.org site or the auditor's site, independently contact the auditor to confirm the authenticity of the audit statements | |||
* Confirm that the dates all match the dates listed in the audit statement | |||
* Audit Statement Date must be either the date of the audit statement or 90 days from the end of the audit period (whichever date is closest to the end of the audit period) | |||
* Confirm that all of the root certificates in the corresponding ''Root Cases'' are specifically referenced in the audit statements | |||
* Confirm that the test websites have TSL certs chaining up to the corresponding root certificate specified in the ''Root Case'', and that they function as expected (valid, expired, revoked) | |||
* Confirm that the Auditor is an independent and qualified auditor. | |||
* Confirm that the CP/CPS documents provide the necessary information for the corresponding root certificates, including appropriate validation procedures | |||
When all of the information has been verified for the '''Audit Case''' and corresponding ''Root Cases'', a root store operator will click on a 'Sync AuditUpdateInfo' button that will propagate the audit, CP/CPS, and test website data to root certificate records corresponding to each of the ''Root Cases''. The root store operator will be taken through a series of pages that look similar to the 'Mass Update Audit/CP/CPS Data' button on certificate records. | |||
<br /> | |||
In the updated root certificate records, each time an audit statement link is changed, the corresponding audit archive status is changed to "Not Processed". The next time the [[CA:SalesforceCommunity#Audit_Archive|File Archive]] program is run, the audit statement will be imported and saved in the CCADB. | |||
Revision as of 17:12, 9 January 2017
Common CA Database (CCADB)
Historically, Certification Authorities (CAs)have had to separately submit data to multiple, individual root store operators, resulting in inefficiency and duplication of effort. Mozilla maintains a CRM instance for communicating with CAs and managing CA data, called the Common CA Database (CCADB), which was originally referred to as the CA Community in Salesforce. Through the CCADB, our goal is to enable CAs to directly provide updates to all participating root store operators at once, and to reduce duplication of effort across the root store programs.
- A Root Store Member is any root store operator participating in the Common CA Database via the File:MozillaCommonCADatabaseAgreement.pdf.
- A CA Member is any CA participating in the Common CA Database via a Community License. CA Members have read-only access to all root certificate data; are able to enter and modify data regarding intermediate certificates chaining up to their own root certificates; and are able to create Audit Cases to report their updated Audit, CP, CPS, and test website URLs each year.
Request a license
CA Community Licenses are granted to CAs in the root store programs of participating root store operators. You only need one CA Community License to access the CCADB data relating all participating root store programs.
To request a license:
- Specific instructions for CAs in Microsoft's CA Program -- TO DO - ADD LINK AND OR TEXT
- Specific instructions for CAs in Mozilla's CA Program
- Send email to certificates@mozilla.org with your name and the name of the CA you represent.
Getting Started
After you receive email with your CA Community License, you may login to the Common CA Database as follows:
- Browse to: https://mozillacacommunity.force.com/ --- TO DO: Update this page to say "Common CA Database" instead of "mozilla".
- Enter your Username; the email address for which your Community User License was issued
- Enter the Password that you set up during first access
- Click on the "Log in to CA Community" button
Upon initial login you will see a row with six tabs:
- Home
- CA Owners/Certificates
- Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". This will list the CA Owner and all of the root and intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record. Within the record you will see an Account Hierarchy section, where you can click on each root or intermediate certificate record to view the data.
- Contacts
- Click on "Contacts" tab, then in "View:" select "All Contacts" and click on "Go!". Click on the Name to view the contact record.
- Cases
- Click on "Cases" tab, then "My Cases" and click on "Go!".
- CA Communications (Page)
- This may be used when a root store operator polls their CA members for information.
- Reports
- Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you.
Important Notes:
- Each Owner/Certificate record has a "CA Owner/Certificate Name" field. For a certificate record, the value of this field is usually the Certificate Subject Common Name of the certificate. For a CA Owner record, this field displays the CA's name. (We cannot change the title of the field in the page, due to the way we are using it in the CRM.)
- Each Certificate record has a "Parent CA Owner/Certificate" field. For an intermediate certificate record the value of the field should be the Certificate Issuer Common Name. For a root certificate record the value of the field will be the name of the CA owner. (We cannot change the title of the field in the page, due to the way we are using it in the CRM.)
- CA Community Users cannot modify the records for: Owner, Root Certificate, and Contact. Only the Root Store Members can modify these records.
- CA Community Users can only modify the intermediate certificate records for their CA.
- When PEM data is provided, the certificate details in the record may not be modified.
PEM Data
PEM data is used to enter root and intermediate certificate data into the CCADB. PEM is a container format defined in RFC's 1421 through 1424 that includes just the public certificate when used within the CCADB. PEM actually means Privacy Enhanced Mail, but the container format it used is a base64 translation of X.509 ASN.1 keys.
Mozilla's TLS Observatory Certificate Explainer may be used to get the PEM format of the certificate.
- https://tls-observatory.services.mozilla.com/static/certsplainer.html
- In the 'Post a certificate' section click on the 'Browse...' button to select a .cer, .crt, .cert, or .pem file
- Check the top of the window to make sure there are no errors listed, and that the desired certificate has been found.
- The data in the text box in the 'Post a certificate' section is the PEM.
- Copy and past the entire PEM blob, which starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----"
Updating Audit Information
All Root Store Members require their CAs to provide updated statements annually of attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties, as outlined in the CA/Browser Forum Baseline Requirements and as outlined in each root store operator's policies.
How To Provide Annual Updates
Instructions for CAs to provide their annual updates via the Common CA Database (CCADB):
- Login to the CCADB.
- Navigate to the CA Owner Record for your CA.
- Scroll down to the 'Cases' section and click on the 'New Case' button.
- Click on the 'Record Type of new record' field and select "CA Audit Update Request".
- Click on the 'Continue' button. This will begin a new Audit Case.
- In the new Audit Case, the 'Subject' will be automatically filled in when you click on the 'Save' button, so leave it blank to begin with.
- Enter the audit and CP/CPS information, then click on the 'Save' button. You may click on 'Edit' and 'Save' as many times as you need to get all of your information entered.
- Important: The audit statement links must point to pdf files that are smaller than 25MB.
- Important: The audit statement links must change each year, so that the audit archiving will pick up the new version of the files.
- Explanation of Audit Information fields
- Explanation of CP/CPS Information fields
- After you have provided the audit and CP/CPS information, you will need to tell us which root certificates are covered by these audits...
- In the Audit Case page, scroll down to the 'Root Cases' section, and click on the 'Add Root Cert For This Audit Info' button. This will start a new Root Case.
- In the Root Case page, click on the search icon next to the 'Included Certificate' field.
- Type in the first two characters of the root certificate name for a root certificate in the provided audit statements, followed by "*", then click on the 'Go!' button. You will only be able to find root certificate records that chain up to your CA Owner record.
- In the 'Select all that apply to the included Root' section, click on the appropriate boxes to show which audit statements cover the selected root certificate.
- Click on the 'Save' button.
- If the Websites trust bit is enabled for this root certificate, then you need to also provide the URLs to the test websites...
- Click on the 'Edit' button
- Enter the URLs to the test websites
- Click on the 'Save' button
- You may click on the 'Edit' and 'Save' buttons as many times as you need to get the necessary information filled in.
- Click on the 'Case No' to go back to the main Audit Case page.
- Click on the 'Add Root Cert For This Audit Info' button and repeat the above steps to add as many Root Cases as needed, corresponding to the root certificates that are covered in the audit statements.
Helpful Hints:
- Before starting this process, it may be helpful to open another window showing your CA's Account Hierarchy, so you can easily see which root certificates need to be accounted for (i.e. in the audit statements). Navigate to your CA Owner record or any of your root or intermediate cert records, go to the 'Account Hierarchy' section, and right-click on any of the record names and 'Open Link in New Window'.
- In the Root Case page, when you click on the search icon next to the 'Included Certificate' field, the default list will be the records that you recently viewed.
What Happens Next?
After you create the Audit Case and corresponding Root Cases, a root store operator will review and verify the information. Here's what they will look for:
- Audit statement links point to pdf files, and are new links (so audit archiving will pick up the new audits)
- If audit statement is not on the webtrust.org site or the auditor's site, independently contact the auditor to confirm the authenticity of the audit statements
- Confirm that the dates all match the dates listed in the audit statement
- Audit Statement Date must be either the date of the audit statement or 90 days from the end of the audit period (whichever date is closest to the end of the audit period)
- Confirm that all of the root certificates in the corresponding Root Cases are specifically referenced in the audit statements
- Confirm that the test websites have TSL certs chaining up to the corresponding root certificate specified in the Root Case, and that they function as expected (valid, expired, revoked)
- Confirm that the Auditor is an independent and qualified auditor.
- Confirm that the CP/CPS documents provide the necessary information for the corresponding root certificates, including appropriate validation procedures
When all of the information has been verified for the Audit Case and corresponding Root Cases, a root store operator will click on a 'Sync AuditUpdateInfo' button that will propagate the audit, CP/CPS, and test website data to root certificate records corresponding to each of the Root Cases. The root store operator will be taken through a series of pages that look similar to the 'Mass Update Audit/CP/CPS Data' button on certificate records.
In the updated root certificate records, each time an audit statement link is changed, the corresponding audit archive status is changed to "Not Processed". The next time the File Archive program is run, the audit statement will be imported and saved in the CCADB.