PSM:EV Testing Easy Version
This page is for Certificate Authorities (CAs) who request to have a root certificate enabled for Extended Validation (EV) treatment, and need to test that their CA hierarchy is ready for EV treatment.
Before requesting EV treatment, CAs should understand how Firefox processes EV certificates and determine if they should use the standard CA/Browser Forum EV OID (22.214.171.124.1) or a CA-specific OID. Unless the CA already has a CA-specific OID enabled in Firefox, Mozilla strongly recommends that CAs use the standard CA/Browser Forum EV OID.
This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)
To test your CA hierarchy to see if it is ready to request EV treatment:
- Browse to https://tls-observatory.services.mozilla.com/static/ev-checker.html
- Enter the URL to the test website for the EV certificate
- Example: https://observatory.mozilla.org
- Enter the EV Policy OID
- Example: 126.96.36.199.1
- Enter the PEM data for the root certificate, or use the "Browse..." button to select the PEM file for the root certificate (ending of file may be .pem or .cert)
- Click on "Submit"
The status of the test will be displayed at the top of the window, just below the title "EV-Readiness Check".
A successful result says: "ev-checker exited successfully: Success!"
The purpose of this test is to make sure you have set up EV according to the EV Guidelines, so make sure you have not taken short-cuts like issuing the test cert directly from the root.
- If you get Error: Could not initiate scan: Server error. Status: 429 Too Many Requests, then wait for 3 minutes before trying again. TLS Observatory allows one scan per target every 3 minutes, so you will get this error if you test multiple times too quickly.
- If you get Error: TypeError: json.analysis is undefined, then the program does not like the format of the data you entered. For instance, if you have extra spaces or characters before or after the TLS Server URL, EV Policy OID, or Root Certificate PEM.
- The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test.
- OCSP must work without error for the intermediate certificates.
- The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.)
- SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension, or has an incorrect policy OID.
- If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access. If you are unable to create a test website that can be reached by the server hosting the tool, then you can download a copy of the source code for the tool, compile it, and run it on your own server.
- Still failing? Try testing with https://certificate.revocationcheck.com/ because frequently resolving the errors listed on that page will resolve problems with EV testing.
Running the test locally
The following instructions may help you compile and run EV-Checker on Mac OS X.
- One-time setup if needed, to get necessary developer tools
- In Terminal window:
- curl https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py > bootstrap.py && python bootstrap.py
- Reference: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Mac_OS_X_Prerequisites
- Other things you might need to install:
- brew install gnutls
- brew install nodejs
- brew install npm
- In Terminal window:
- To get the latest version of ev-checker:
- git clone https://github.com/mozkeeler/ev-checker
- cd ev-checker
- make clean
- To run EV Checker:
- In Terminal window cd to the ev-checker folder and type: node server.js
- In Firefox browser: http://localhost:8000/
- Note: only one copy of the server may be running at a time. If you get an EADDRINUSE error, then in a terminal window type:
- lsof -iTCP -sTCP:listen
- Look for any lines starting with "node"
About the Testing Tool
The code for the Testing Tool is here: https://github.com/mozkeeler/ev-checker
The Testing Tool...
- Runs a program on a remote computer rather than the user's browser, so it should work with any browser/version.
- Does not interact with the user's profile, so the user does not need to import the root certificate in order to run the tool. The web server must serve up the intermediate cert(s) along with the end-entity cert.
- Runs on an Amazon EC2 instance, so your test website must be accessible from Amazon EC2 instances.