From MozillaWiki
Jump to: navigation, search

Mozilla's CA Certificate Program

Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of products.

Override Default Root Certificate Settings

Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing the trust bit settings of a root certificate.

Policy and Included CAs

  • Pending CAs Spreadsheet -- CAs who have applied for inclusion of their certificates in the Mozilla project Root CA store, and whose applications are pending. Also CAs who have applied to add trust bits or enable EV for certificates that are already included in Mozilla's Root CA store, and their applications are pending.

CA Communications

Common CA Database (aka CA Community in Salesforce)

Mozilla's CA Program uses the Common CA Database, also known as the CA Community in Salesforce, which is a highly customized CRM used for managing CA Program data. The Common CA Database enables CAs to directly provide the data for all of the publicly disclosed and audited subordinate CAs chaining up to root certificates in Mozilla's program, and to also directly provide data about their revoked intermediate certificates. A Primary Point of Contact for each included CA will be given a CA Communitylicense, so that each of the CAs in Mozilla's program can input, access, and update their intermediate certificate data directly in the Common CA Database.

  • CA Members of the Common CA Database
    • A CA Member is any CA participating in the Common CA Database via Community licenses, subject to Mozilla policies. CA Members have restricted access to certain parts of the data in the Common CA Database. They can only modify the data regarding intermediate certificates chaining up to their own root certificates. They have read-only access to root certificate data, and they do not have access to Cases regarding root inclusion/change requests.
  • Root Store Members of the Common CA Database
    • A Root Store Member is any root store operator participating in the Common CA Database who has signed Mozilla's Common CA Database Agreement.
  • Note: "Common CA Database" is the new name for "CA Community in Salesforce".

Maintenance and Enforcement

How to Apply for Root Inclusion or Changes

  • Process Overview
  • How to Apply -- A guide for CAs wishing to include their certificate in Mozilla's Root CA store, and also a guide for CAs wishing to add trust bits or enable EV for a certificate that is already included in Mozilla's Root CA store.
  • Root Change Process -- How to request a change to a root certificate that is currently included in NSS. This includes the process for disabling or removing a root certificate from NSS.

Discussion forums

The following Mozilla public forums are relevant to CA evaluation and related issues. Note that each forum can be accessed either as a mailing list or a newsgroup (using an NNTP-newsreader or the Google Groups service).

  • Policy forum. This forum is used for discussions of Mozilla policies related to security in general and CAs in particular; among other things, it is the preferred forum for the public comment phase of CA evaluation.
  • Crypto forum. This forum is used for discussions of the NSS cryptographic library used in Firefox and other Mozilla-based products, as well as the PSM module that implements higher-level security protocols for Firefox, Note that this forum was previously used to discuss CA request, but such discussions should now be moved to the policy forum.
  • Security forum. This forum is used for discussions of Mozilla security issues in general. Crypto-related discussions should be moved to

Work in Progress


The following are templates created by Gerv Markham for use by the Mozilla representative(s) responsible for working on CA requests. Except as noted the templates are used in creating comments for the bug report associated with a CA request.


The following items are obsolete, and have been replaced by other links provided above.