Mozilla's CA Certificate Program
Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products. The program is overseen by the module owner and peers of the CA Certificates Module; the policy itself is overseen by the module owner and peers of the CA Certificate Policy Module.
- Root Store Policy (current stable version: 2.9)
- CA Communications and their responses. Such communications may also set policy in advance of it being included in the Root Store Policy.
- Root Store Policy Archive
- Process for updating the Root Store Policy
- Transition to S/MIME BRs
Lists of CAs and Certificates
- Data Usage Terms
- Included CAs (in the Root Program and in Firefox)
- Included CA Certificates
- Intermediate Certificates
- Removed CA Certificates
- NSS Release Versions - shows in which version of Mozilla products each root certificate was first available
- Additional Trust Policies - describes trust policies enforced by PSM in Firefox and Thunderbird, but not represented in the NSS root store.
- Certificate Change Request Dashboard - tracks applications and trust changes through the process in Bugzilla
- Certificate Change Requests as tracked in the CCADB
- Incident and Compliance Dashboard
- CCADB Dashboard
- Bugzilla Bug Triage Process
- Email Templates used by CCADB
- Disclosure status of all certificates known to CT
- Problematic certificates issued in the past week known to CT
Information for CAs
- CCADB Login
- Responding to an Incident (such as a misissuance)
- Disclosing a Vulnerability or Security Incident
- Application Process for Mozilla's Root Program
- Approval Process for Externally Operated Subordinate CAs
- Change or Remove an Included Root Certificate
- Root CA Lifecycles
- Required or Recommended CA Practices
- Root Inclusion Considerations -- This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.
- How Firefox Performs Certificate Verification and path construction
- How Firefox Processes EV Certificates
- EV Readiness Test
- PKI Lint Tool for TLS & S/MIME - source code download
- BR Lint Certificate Test - source code download
- ZLint - Certificate Test of Mozilla's and others' requirements - source code download
- X.509 Lint Certificate Test - source code download
- Common Test Errors
Information for Auditors
- Auditor Qualifications
- Auditor Compliance Dashboard
- Guidance on doing Baseline Requirements audits
- Mistakes we have seen auditors make and their consequences
Information for the Public
- Why Does Mozilla Maintain Our Own Root Certificate Store?
- What is the Common CA Database (CCADB)?
- FAQ About Certificates and CAs
- List of CA problem reporting mechanisms (email, etc.) (use this to report a certificate problem directly to the CA)
- Report an Incident to Mozilla (be sure to click the "Security" checkbox if it is a security-sensitive incident)
- Glossary of CA and Certificate Terminology
- Changing Certificate Trust Settings in Firefox
- Certificate Viewer -- can also be installed/run locally (see ReadMe)
- Qualys SSL Server Quality Checker
- Mozilla SSL Server Quality Checker
- How Firefox performs revocation checking
- Certificate Revocation Checker (also checks CRL and OCSP server quality and compliance)
- List of CAA Identifiers (used to restrict issuance of certificates to specific CAs via a DNS Certification Authority Authorization Resource Record)
- How to install your own root certificate in Firefox
The following public forums are relevant to CA evaluation and related issues.
- [https://groups.google.com/a/ccadb.org/g/public CCADB Public mailing list is used to conduct a six-week public discussion of CA root inclusion requests and to discuss important lessons learned from CA incident reports. See https://www.ccadb.org/cas/public-group for more information.
- Mozilla's dev-security-policy (MDSP) mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.
Other MDSP Mail Archives
- New MDSP Messages (since August 2021)
- Old MDSP Messages (until April 2021)
- Mozilla's dev-tech-crypto mailing list is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox.
- For other discussions of Mozilla security issues:
- Mozilla's Security Web forum is a place to discuss information security work in the open source space, where Mozilla is empowering users to build and curate a Healthy Internet.
- Mozilla's privacy-and-security forum is a place to discuss issues and questions specific to privacy and security.
- chat on Matrix may also be used