Confirm, administrator
5,526
edits
Changes
Move Test to separate subsection
#** See: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP
#** OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443.
# Requested Trust Bits
#* State which of the two trust bits you are requesting to be enabled for this root. One or more of:
#** EV - Verification meets the requirements of the CA/Browser Forum [https://cabforum.org/extended-validation/ CA/Browser Forum's EV Guidelines]
# If EV certificates are issued within the hierarchy rooted at this root, the EV policy OID(s) associated with those EV certificates.
=== Test!!! ===
You must Test your certificates and test websites! They must be fully compliant with Mozilla's Root Store Policy and the appropriate RFC's, and CA/Browser Forum Baseline Requirements (if requesting the SSL/TLS trust bit).
* If requesting to enable the Websites (SSL/TLS) trust bit, then you must perform all of the following tests
** Revocation: Browse to https://certificate.revocationcheck.com/ and enter the Test Website URL. Make sure there are no errors listed in the output.
*** If certificate.revocationcheck.com does not know about the root cert, then use the 'Certificate Upload' tab to directly input the PEM for the certificates.
** The CA MUST check that they are not issuing certificates that violate any of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] (BRs).
** Mozilla WILL check that the CA is not issuing certificates that violate any of the BRs by performing the following tests.
*** Browse to https://crt.sh/
*** Enter the SHA-1 or SHA-256 Fingerprint for the root certificate. Then click on the 'Search' button.
*** When the certificate information is shown, along the left column under Certificate, click on the "Run cablint" and "Run x509lint" links. Each of these will add a row to the table, showing the test results.
*** All errors must be resolved/fixed. Warnings should also be either resolved or explained.
** If you have not yet issued public certificates in your CA hierarchy, then you can test using:
*** https://crt.sh/linttbscert
**** [https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg07855.html Instructions]
** Alternatively, you may use the test code directly via Github:
*** BR Lint Test: https://github.com/awslabs/certlint
*** X.509 Lint Test: https://github.com/kroeckx/x509lint
*** All errors must be resolved/fixed. Warnings should also be either resolved or explained.
** [[CA:TestErrors|Test Errors]] - Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above.
If you are requesting to enable EV treatment, then you must also perform the [[PSM:EV_Testing_Easy_Version | PSM EV Testing]]
* You must provide successful output from the [https://tls-observatory.services.mozilla.com/static/ev-checker.html EV Checking Tool].
== CA Hierarchy information for each root certificate ==
