Confirmed users, Administrators
5,526
edits
CA:SalesforceCommunity: Difference between revisions
cert chaining to two included roots
m (added or) |
(cert chaining to two included roots) |
||
| Line 60: | Line 60: | ||
== Which intermediate certificate data should CAs add to Salesforce? == | == Which intermediate certificate data should CAs add to Salesforce? == | ||
CAs '''must''' add records for: | |||
* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | |||
** Including every intermediate certificate (chaining up to a root certificate in Mozilla's program with the Websites trust bit enabled) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. | |||
** Intermediate certificates are considered to be technically constrained, and do not need to be added to the CA Community in Salesforce if: | |||
*** The intermediate certificate has the Extended Key Usage (EKU) extension and the EKU does '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth; or | |||
*** The intermediate certificate includes the Name Constraints extension as described in section 7.1.5 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements]; or | |||
*** The root certificate is not enabled with the Websites trust bit. | |||
* [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|Revoked certificates]] that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | |||
*** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | *** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | ||
* CAs should '''not''' add records for: | |||
When the '''same exact intermediate certificate''' chains up to two included root certificates, the certificate only needs to be included in Salesforce once. | |||
* For root certificate (rootA) that is cross-signed by another included root certificate (rootB) that has the Websites trust bit enabled, the intermediate certificates chaining up to rootA only need to be disclosed once. | |||
** The cross-certificate records for rootA must be entered into Salesforce, chaining to rootB. | |||
** If rootA is included and has the Websites trust bit enabled, then its intermediate certificate records should be entered into Salesforce such that they chain directly to rootA. | |||
** If rootA has been removed from NSS or does not have the Websites trust bit enabled, then its intermediate certificate records must be entered into Salesforce such that they chain to rootB. | |||
** If rootA and rootB are owned by different CAs, then both CAs are responsible for ensuring that the intermediate certificate records are appropriately entered into Salesforce. | |||
CAs should '''not''' add records for: | |||
* Intermediate certificates that the CA cannot publicly disclose '''and''' are [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. All intermediate certificate data added by CAs to Salesforce will be [[CA:SalesforceCommunity#View_Published_Reports|publicly available]]. | |||
* Revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|do not need to be added to OneCRL]] | |||
* Expired intermediate certificates | |||
* Intermediate certificates that do '''not''' chain up to a root certificate that is currently [[CA:IncludedCAs|included in Mozilla's root store]]. | |||
== Add Intermediate Certificate Data to Salesforce == | == Add Intermediate Certificate Data to Salesforce == | ||