Confirm, administrator
5,526
edits
Changes
Created page with '== Changing a Root Certificate that is Currently Included in NSS == Reasons to change a root certificate that is currently included in NSS may included, but are not limited to: …'
== Changing a Root Certificate that is Currently Included in NSS ==
Reasons to change a root certificate that is currently included in NSS may included, but are not limited to:
* Add a Trust Bit (one of websites, email code signing)
* Enable EV
* Disable a Root (turn off one or more of the trust bits)
* Remove a Root
=== Add a Trust Bit ===
When a root certificate is included in NSS, one or more of the three trust bits (websites, email, code signing) are enabled. It is common for a CA to request inclusion with a subset of the trust bits enabled, and then later request that an additional trust bit be enabled. A CA may request to enable additional trust bits for a root certificate that is included in NSS, by following the following steps.
# Update the CP/CPS to reflect the policies for the additional trust bits, and make sure that the additions to the CP/CPS follow the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy], especially section 7.
# Also see the [[CA:Recommended_Practices|Recommended Practices]] and [[CA:Problematic_Practices|Potentially Problematic Practices]].
# Have the annual audit cover the updated CP/CPS.
#* Make sure that the audit meets the requirements stated in the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy.]
# File a bug by clicking on the "Create a new bug report" link in [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request|CA:How_to_apply,]] section 1.2.
#* Change the bug summary to "Enable trust bits for <name of your root>".
#* In the bug description add a reference to the original root-inclusion bug number.
#* In the bug description include links to the updated CP/CPS and the updated audit.
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in CA:How_to_apply.
=== Enable EV ===
A CA may request that Extended Validation (EV) be enabled for a root certificate that is currently included in NSS, by following the following steps.
# Update the CP/CPS to reflect the EV policies, and make sure that the additions to the CP/CPS follow the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy] as well as the [http://www.cabforum.org/Guidelines_v1_2.pdf EV SSL Certificate Guidelines Version 1.2] that are posted on the CA/Browser Forum website.
# Also see the [[CA:Recommended_Practices|Recommended Practices]] and [[CA:Problematic_Practices|Potentially Problematic Practices]].
# Complete a WebTrust EV audit that meets the requirements stated in the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy.]
# File a bug by clicking on the "Create a new bug report" link in [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request|CA:How_to_apply,]] section 1.2.
#* Change the bug summary to "Enable EV for <name of your root>".
#* In the bug description add a reference to the original root-inclusion bug number.
#* In the bug description include links to the updated CP/CPS and the WebTrust EV audit.
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in CA:How_to_apply.
=== Disable a Root ===
text here
=== Remove a Root ===
text here
Reasons to change a root certificate that is currently included in NSS may included, but are not limited to:
* Add a Trust Bit (one of websites, email code signing)
* Enable EV
* Disable a Root (turn off one or more of the trust bits)
* Remove a Root
=== Add a Trust Bit ===
When a root certificate is included in NSS, one or more of the three trust bits (websites, email, code signing) are enabled. It is common for a CA to request inclusion with a subset of the trust bits enabled, and then later request that an additional trust bit be enabled. A CA may request to enable additional trust bits for a root certificate that is included in NSS, by following the following steps.
# Update the CP/CPS to reflect the policies for the additional trust bits, and make sure that the additions to the CP/CPS follow the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy], especially section 7.
# Also see the [[CA:Recommended_Practices|Recommended Practices]] and [[CA:Problematic_Practices|Potentially Problematic Practices]].
# Have the annual audit cover the updated CP/CPS.
#* Make sure that the audit meets the requirements stated in the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy.]
# File a bug by clicking on the "Create a new bug report" link in [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request|CA:How_to_apply,]] section 1.2.
#* Change the bug summary to "Enable trust bits for <name of your root>".
#* In the bug description add a reference to the original root-inclusion bug number.
#* In the bug description include links to the updated CP/CPS and the updated audit.
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in CA:How_to_apply.
=== Enable EV ===
A CA may request that Extended Validation (EV) be enabled for a root certificate that is currently included in NSS, by following the following steps.
# Update the CP/CPS to reflect the EV policies, and make sure that the additions to the CP/CPS follow the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy] as well as the [http://www.cabforum.org/Guidelines_v1_2.pdf EV SSL Certificate Guidelines Version 1.2] that are posted on the CA/Browser Forum website.
# Also see the [[CA:Recommended_Practices|Recommended Practices]] and [[CA:Problematic_Practices|Potentially Problematic Practices]].
# Complete a WebTrust EV audit that meets the requirements stated in the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy.]
# File a bug by clicking on the "Create a new bug report" link in [[CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request|CA:How_to_apply,]] section 1.2.
#* Change the bug summary to "Enable EV for <name of your root>".
#* In the bug description add a reference to the original root-inclusion bug number.
#* In the bug description include links to the updated CP/CPS and the WebTrust EV audit.
# The request will go through the [[ CA:How_to_apply#Information_gathering_and_verification|Information Gathering and Verification]], [[CA:How_to_apply#Public_discussion|Public Discussion]], and [[CA:How_to_apply#Inclusion|Inclusion]] phases as described in CA:How_to_apply.
=== Disable a Root ===
text here
=== Remove a Root ===
text here
