Confirmed users
569
edits
PSM:EV Testing Easy Version: Difference between revisions
Jump to navigation
Jump to search
Removed references to "any" EV OID - must be CABF EV OID.
m (Fixed URL) |
(Removed references to "any" EV OID - must be CABF EV OID.) |
||
| Line 1: | Line 1: | ||
This page is for [[CA:FAQ#What_are_CAs.3F | Certificate Authorities (CAs)]] who request to have a root certificate enabled for [https://cabforum.org/extended-validation Extended Validation (EV) treatment], and need to test that their CA hierarchy is ready for EV treatment. | This page is for [[CA:FAQ#What_are_CAs.3F | Certificate Authorities (CAs)]] who request to have a root certificate enabled for [https://cabforum.org/extended-validation Extended Validation (EV) treatment], and need to test that their CA hierarchy is ready for EV treatment. | ||
Before requesting EV treatment, CAs should understand how [[CA/EV_Processing_for_CAs | Firefox processes EV certificates]] and | Before requesting EV treatment, CAs should understand how [[CA/EV_Processing_for_CAs | Firefox processes EV certificates]] and ensure that they are using the CA/Browser Forum EV OID (2.23.140.1.1), which Mozilla requires. | ||
To request that your root certificate be included in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] and [https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp enabled for EV treatment], see [[CA/Application_Process|Mozilla's application process]]. | To request that your root certificate be included in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] and [https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp enabled for EV treatment], see [[CA/Application_Process|Mozilla's application process]]. | ||
| Line 32: | Line 32: | ||
* The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test. | * The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test. | ||
* OCSP must work without error for the intermediate certificates. | * OCSP must work without error for the intermediate certificates. | ||
* The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID | * The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID. | ||
** SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension, or has an incorrect policy OID. | ** SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension, or has an incorrect policy OID. | ||
* If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access. If you are unable to create a test website that can be reached by the server hosting the tool, then you can download a copy of the [https://github.com/mozilla/tls-observatory source code] for the tool, compile it, and run it on your own server. | * If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access. If you are unable to create a test website that can be reached by the server hosting the tool, then you can download a copy of the [https://github.com/mozilla/tls-observatory source code] for the tool, compile it, and run it on your own server. | ||