Confirm
359
edits
Changes
Removed references to "any" EV OID - must be CABF EV OID.
This page is for [[CA:FAQ#What_are_CAs.3F | Certificate Authorities (CAs)]] who request to have a root certificate enabled for [https://cabforum.org/extended-validation Extended Validation (EV) treatment], and need to test that their CA hierarchy is ready for EV treatment.
Before requesting EV treatment, CAs should understand how [[CA/EV_Processing_for_CAs | Firefox processes EV certificates]] and determine if ensure that they should use are using the standard CA/Browser Forum EV OID (2.23.140.1.1) or a CA-specific OID. Unless the CA already has a CA-specific OID enabled in Firefox, which Mozilla strongly recommends that CAs use the standard CA/Browser Forum EV OIDrequires.
To request that your root certificate be included in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] and [https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp enabled for EV treatment], see [[CA/Application_Process|Mozilla's application process]].
* The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test.
* OCSP must work without error for the intermediate certificates.
* The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.)
** SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension, or has an incorrect policy OID.
* If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access. If you are unable to create a test website that can be reached by the server hosting the tool, then you can download a copy of the [https://github.com/mozilla/tls-observatory source code] for the tool, compile it, and run it on your own server.
