Confirmed users, Administrators
5,526
edits
CA:SalesforceCommunity: Difference between revisions
m
cert chaining to two included roots
m (cert chaining to two included roots) |
m (cert chaining to two included roots) |
||
| Line 70: | Line 70: | ||
*** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | *** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | ||
When the '''same exact intermediate certificate''' chains up to two included root certificates, the certificate only needs to be included in Salesforce once. | When the '''same exact intermediate certificate''' chains up to two included root certificates, the certificate data only needs to be included in Salesforce once. | ||
* For root certificate (rootA) that is cross-signed by another included root certificate (rootB) that has the Websites trust bit enabled, the intermediate certificates chaining up to rootA only need to be | * For root certificate (rootA) that is cross-signed by another included root certificate (rootB) that has the Websites trust bit enabled, the intermediate certificates chaining up to rootA only need to be entered into the CA Community in Salesforce once. | ||
** The cross-certificates for rootA must be entered into Salesforce | ** The cross-certificates for rootA that are signed by rootB must be entered into Salesforce such that their records chain up to rootB. | ||
** If rootA is included and has the Websites trust bit enabled, then its intermediate certificates should be entered into Salesforce such that | ** If rootA is included and has the Websites trust bit enabled, then its intermediate certificates should be entered into Salesforce such that their records chain directly to rootA. | ||
** If rootA has been removed from NSS or does not have the Websites trust bit enabled, then its intermediate certificates must be entered into Salesforce such that | ** If rootA has been removed from NSS or does not have the Websites trust bit enabled, then its intermediate certificates must be entered into Salesforce such that their records chain to rootB. | ||
** If rootA and rootB are owned by different CAs, then both CAs are responsible for ensuring that the data for all of their non-technically-constrained intermediate certificates are appropriately entered into Salesforce. | ** If rootA and rootB are owned by different CAs, then both CAs are responsible for ensuring that the data for all of their non-technically-constrained intermediate certificates are appropriately entered into Salesforce. | ||