This page is for Certificate Authorities (CAs) who request to have a root certificate enabled for Extended Validation (EV) treatment, and need to test that their CA hierarchy is ready for EV treatment.

To request that your root certificate be included in NSS and enabled for EV treatment, start with the Mozilla CA Certificate Policy and the How to Apply guidelines.

This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)

Overview

To perform this test you will:

• Use a debug version of Firefox that has been modified to allow for EV testing
• Set an environment variable that is effective when you execute Firefox
• Import your own CA root certificate into the Firefox browser
• Find a directory on your system that contains the Firefox browser's configuration files
• Prepare a special configuration file that instructs the browser to treat your certificates as EV verified
• Prepare a test server that uses a matching certificate and sends all required intermediate certificates
• Make sure that your OCSP server is configured correctly, in particular, the signing certificate used by your OCSP server is conforming to specifications
• Test the above until you get a successful test result

Details

Download Debug Version of Firefox

To download a debug version of Firefox:

1. Browse to ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/
2. Scroll down to mozilla-release-<platform>-debug and select the folder that matches the platform you are working on. Make sure you select a folder whose name ends in "debug".
3. Download any of the recent builds in the list.
   • Linux Platform - use the .tar.bz2 file.
   • Mac Platofrm - use the .dmg file.
   • Windows Platform - use the installer.exe file.
4. After downloading, extract and run this debug browser, which will be called FirefoxNightlyDebug.

Environment variable

You must set the following environment variable. It must be effective when the browser software runs:

ENABLE_TEST_EV_ROOTS_FILE=1 

Import your root CA

You should be able to use the browser's menus and preferences to find the certificate manager, import it as a new Certificate Authority, and set the necessary trust flags (include trust for web sites).

Profile / Configuration directory

You will use public Internet resources to learn about the location of Firefox configuration files on your test computer. (e.g. on a GNU/Linux system this might be in /home/$USER/.mozilla/firefox/*default, on Mac OS X ~/Library/Application Support/Firefox/Profiles/*.default) The directory contains files named bookmarks.html and prefs.js, this information might help you in locating the correct directory.

• Profiles - Where Firefox stores your bookmarks, passwords and other user data

Note: on Mac OS X Mountain Lion the Library folder is hidden. To find it, go into Finder, click on the "Go" pull-down menu while holding the Option key and select "Library." From Terminal the following command will make the hidden Library folder visible: chflags nohidden ~/Library. To hide the Library folder again type the following command: chflags hidden ~/Library

Enable your root for EV

Inside the directory you have identified in the previous step, you will create a new ASCII test file, with filename test_ev_roots.txt You will create appropriate lines that will enable your root certificate for EV. Technical information can be found in page PSM:EV_Testing

The tricky technical part is producing an ASCII-encoded representation of the DER encoding of your certificate issuer name and its serial number.

We are willing to help you produce those technical representation. If you have started the formal process to request being added to the Mozilla root store, and have attached your root to a bugzilla bug, you may ask us to produce it for you.

Testing

Once you have the above preparation steps done, open the "Minefield" test browser and browse to the web page of your test server. If you have done everything correctly, and your OCSP infrastructure meets the expectations, you will see the green EV identity bar.

Attach a screen shot to the bug that shows the green EV identity bar for your web page in the "Minefield" test browser.

Not Getting EV Treatment?

• The purpose of this test is to make sure you have set up EV according to the EV Guidelines, so make sure you have not taken short-cuts like issuing the test cert directly from the root.
• OCSP must work without error for the intermediate certificates. A failed OCSP response will result in EV treatment not being given. For more information see: https://wiki.mozilla.org/CA:EV_Revocation_Checking#Requirements
• All of the characters have to be capitalized in the SHA1 Fingerprint in the test_ev_roots.txt file.
• The EV Policy OID in the end-entity and intermediate certificates must match the 2_readable_oid field in the test_ev_roots.txt file. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.)
• General tips
  • Make sure you are using the Minefield test browser.
  • Make sure the ENABLE_TEST_EV_ROOTS_FILE environment variable is correctly set.
  • Make sure your test_ev_roots.txt file is correct and matches the information in your cert chain.