CA:TestErrors

From MozillaWiki
Revision as of 21:33, 9 August 2016 by Kathleen Wilson (talk | contribs) (Unallowed key usage for RSA public key)
Jump to navigation Jump to search

Test Errors

This page lists errors that CAs run into while doing the testing required for root inclusion/change requests, the meaning of those errors, and recommended resolution. Please add to this wiki page as you run into test errors that are not listed.

Revocation Testing Errors

Revocation Test: Browse to http://certificate.revocationcheck.com/ and enter the Test Website URL. Make sure there are no errors listed in the output.

CA/Browser Forum Baseline Requirement Errors

CAs MUST check that they are not issuing certificates that violate any of the CA/Browser Forum Baseline Requirements (BRs). Mozilla WILL check that the CA is not issuing certificates that violate any of the BRs by performing the following tests.

  1. CA/Browser Forum Compliance: Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the root certificate. Then click on the 'Search' button. Then click on the 'Run cablint' link. All errors must be resolved/fixed. Warnings should also be either resolved or explained.
  2. Cert chain of test website: Browse to https://cert-checker.allizom.org/ and enter the test website and click on the 'Browse' button to provide the PEM file for the root certificate. Then click on 'run certlint'. All errors must be resolved/fixed. Warnings should also be either resolved or explained.
Error Meaning Recommended Resolution Related Bug
Generalized Time before 2050 certs aren't conforming to section 4.1.2.5 of rfc 5280 regarding when to use UTCTime and when to use GeneralizedTime. Any dates before 2050 must be encoded as UTCTime. It doesn't look like mozilla::pkix enforces this, though. We might think about eventually doing so. bug 999378#c30
CA certificates must include commonName in subject not strictly against the Baseline Requirements should be a Warning message 435736#c159
Unallowed key usage for EC public key "keyEncipherment" is not allowed for EC keys Section 3 of RFC 5480 (https://tools.ietf.org/html/rfc5480#section-3) defines the keyUsage bits allowed with Elliptic Curve Cryptography Subject Public Key Information. keyEncipherment is not on the list. 1201423#c20
Unallowed key usage for RSA public key https://tools.ietf.org/html/rfc5280 page 30 ??? bug 636557#c52
Retrieved from "https://wiki.mozilla.org/index.php?title=CA:TestErrors&oldid=1143368"