Changes

This page is for [[CA:FAQ#What_are_CAs.3F | Certificate Authorities (CAs)]] who request to have a root certificate enabled for [https://www.cabforum.org/certificates.html Extended Validation (EV) treatment], and need to test that their CA hierarchy is ready for EV treatment.

This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)

#* End with: -----END CERTIFICATE-----

#* [https://crt.sh/?d=853428 Example PEM Data] - open with a plain text editor like TextEdit

# Click on "Submit"

* If you get ''Error: TypeError: json.analysis is undefined'', then the program does not like the format of the data you entered. For instance, if you have extra spaces or characters before or after the TLS Server URL, EV Policy OID, or Root Certificate PEM.

* The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test.

* The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.)

** SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension, or has an incorrect policy OID.