CA/Information Checklist: Difference between revisions

Jump to navigation Jump to search

CA/Information Checklist (view source)

Revision as of 01:03, 5 January 2017

158 bytes added ,  5 January 2017
Updated test information
(Updated audit criteria)
(Updated test information)
Line 113: Line 113:
#** Revocation: Browse to http://certificate.revocationcheck.com/ and enter the Test Website URL. Make sure there are no errors listed in the output.
#** Revocation: Browse to http://certificate.revocationcheck.com/ and enter the Test Website URL. Make sure there are no errors listed in the output.
#*** If certificate.revocationcheck.com does not know about the root cert, then use the 'Certificate Upload' tab to directly input the PEM for the certificates.
#*** If certificate.revocationcheck.com does not know about the root cert, then use the 'Certificate Upload' tab to directly input the PEM for the certificates.
#** The CA MUST check that they are not issuing certificates that violate any of the [https://cabforum.org/baseline-requirements/ CA/Browser Forum Baseline Requirements] (BRs). Mozilla WILL check that the CA is not issuing certificates that violate any of the BRs by performing the following tests.
#** The CA MUST check that they are not issuing certificates that violate any of the [https://cabforum.org/baseline-requirements/ CA/Browser Forum Baseline Requirements] (BRs).  
#*** CA/Browser Forum Compliance: Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the root certificate. Then click on the 'Search' button. Then click on the 'Run cablint' link. All errors must be resolved/fixed. Warnings should also be either resolved or explained.
#** Mozilla WILL check that the CA is not issuing certificates that violate any of the BRs by performing the following tests.
#*** Cert chain of test website: Browse to https://cert-checker.allizom.org/ and enter the test website and click on the 'Browse' button to provide the PEM file for the root certificate. Then click on 'run certlint'. All errors must be resolved/fixed. Warnings should also be either resolved or explained.
#*** Browse to https://crt.sh/  
#*** Enter the SHA-1 or SHA-256 Fingerprint for the root certificate. Then click on the 'Search' button.
#*** When the certificate information is shown, along the left column under Certificate, click on the "Run cablint" and "Run x509lint" links. Each of these will add a row to the table, showing the test results.
#*** All errors must be resolved/fixed. Warnings should also be either resolved or explained.
#** Alternatively, you may use the test code directly via Github:
#*** BR Lint Test: https://github.com/awslabs/certlint
#*** X.509 Lint Test: https://github.com/kroeckx/x509lint
#*** All errors must be resolved/fixed. Warnings should also be either resolved or explained.
#** [[CA:TestErrors|Test Errors]] - Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above.
#** [[CA:TestErrors|Test Errors]] - Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above.
#* If you are requesting to enable EV treatment, then you must also perform the [[PSM:EV_Testing_Easy_Version | PSM EV Testing]]  
#* If you are requesting to enable EV treatment, then you must also perform the [[PSM:EV_Testing_Easy_Version | PSM EV Testing]]  
#** You must provide successful output from the [https://cert-checker.allizom.org/ev-checker EV Checking Tool].
#** You must provide successful output from the [https://tls-observatory.services.mozilla.com/static/ev-checker.html EV Checking Tool].
# Requested Trust Bits
# Requested Trust Bits
#* State which of the two trust bits you are requesting to be enabled for this root. One or more of:
#* State which of the two trust bits you are requesting to be enabled for this root. One or more of:
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1158509"

Navigation menu