CA/Application Instructions: Difference between revisions

← Older edit

CA/Application Instructions (view source)

Revision as of 15:58, 14 April 2025

644 bytes added , 14 April

m

Minor changes

Bwilson

Confirmed users

518

edits

@@ Line 8: / Line 8: @@
 #* Note that you must supply an email address when creating an account; this address will be made public, and will be used for communications, related to your request.
 #* Be sure to use an email address that you regularly monitor, because all communication regarding the request will be sent to this email address.
-# [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=NSS&bug_severity=enhancement&short_desc=Add%20%5Byour%20CA%27s%20name%5D%20root%20certificate%28s%29 Create a new bug report] corresponding to your request.
+# [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=CA%20Program&short_desc=Add%20%5Byour%20CA%27s%20name%5D%20root%20certificate%28s%29 Create a new bug report] corresponding to your request.
 #* https://bugzilla.mozilla.org/enter_bug.cgi
-#* Product: NSS
+#* Product: CA Program
 #* Component: CA Certificate Root Program
-#* Severity: enhancement
+#* Type: task
 #* Summary: Add [your CA's name] root certificate(s)
-#* Do NOT select the check boxes to restrict visibility, such as making it confidential or marking it as a security bug. All information that is submitted for root inclusion and update requests must be publicly available.
+#* Do NOT select the checkboxes to restrict visibility, such as making it confidential or marking it as a security bug. All information that is submitted for root inclusion and update requests must be publicly available.
-# Provide all of the information that is listed in the [[CA/Information_Checklist|CA Information Checklist.]] This may be done by adding comments and attachments after the bug has been created.
+# Provide all [[CA/Information_Checklist|required information.]]
-#* This file lists the information that the CA must provide: [[File:CAInformationExample.pdf|CAInformation.pdf]]
+#* If your CA does not yet have access to the CCADB, then you may request access here: https://ccadb.org/cas/request-access
+#* '''[[CA/Information_Checklist#Create_a_Root_Inclusion_Case|Create a Root Inclusion Case in the CCADB]]''' - [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example]
+#* IMPORTANT: Whenever you update data in your Root Inclusion Case in the CCADB, be sure to add a comment to your Bugzilla Bug to let folks know about the new/updated information.
 # Watch for email from bugzilla-daemon@mozilla.org containing additional requests for information.
 #* It is recommended that you add bugzilla-daemon@mozilla.org to your email contacts so that notifications of updates to your bug don't get filtered into your SPAM folder.
+IMPORTANT: Note that all information submitted to our Bugzilla system is publicly available to anyone on the Internet. Please do not include proprietary or confidential information in your request. If you wish to discuss confidential or sensitive matters, please do so via private email to certificates@mozilla.org. Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available.
-IMPORTANT: Note that all information submitted to our Bugzilla system is publicly available to anyone on the Internet. Please do not include proprietary or confidential information in your request. If you wish to discuss confidential or sensitive matters, please do so via private email to certificates@mozilla.org.
 == Test ==
 Here are the steps that a representative of the CA should take when asked to test that the certificate has been correctly imported and that websites work correctly.
-# Click on the test build link that is provided, choose the download file for the operating system you are using.
+# Click on the test build link that is provided, choose the download file for the operating system you are using. You only need to test on one operating system, because the root store changes will be the same across platforms.
-#* For Testing on Mac:
+#* For example, to test on Mac:
-#** Find the line with OSX that contains tc(B).
+#** Find the line with OSX that contains "OS X..." and a green B.
-#** Click the green B inside that tc(B), and the bottom part of the page will change to show more details of that build.
+#** Click the green B, and the bottom part of the page will change to show more details of that build.
-#** In the right hand colum, you see several "artifact uploaded" entries.
+#** Click on the "Job Details" tab.
-#** Scroll down that list to find "target.dmg". That's the Mac disk image that you're looking for.
+#** In the right column, you will see several "artifact uploaded" entries.
-# It is very important to ensure that you test using a fresh profile in order to make sure you really seeing the trust bits provided by the test build, rather than the trust settings that you had set manually in an application profile. For more information about using a separate profile for testing, refer to the knowledge base articles: [http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles Profile Manager] and [http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows Creating a new Firefox profile.]
+#** Scroll down that list to find "target.dmg". That's the Mac disk image that you're looking for. Click on it to download, then follow the instructions.
-#* Using a fresh profile is the best way to test, but you can also restore the default certificate settings as described here: https://wiki.mozilla.org/CA:UserCertDB#How_To_Restore_Default_Root_Certificate_Settings
+# It is very important to ensure that you test using a fresh profile, which can be done using either of the following approaches:
-# When you restart Firefox, be sure to use the test build that you just downloaded and installed. It will have a different name, like "Nightly" or such.
+#* [https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings Refresh Firefox button] -- Recommended way to restore the security certificate settings.
-#* If you are running Mac OS X 10.8 Mountain Lion, OS X, you may need to [https://it.uoregon.edu/fix-security-settings change the Gatekeeper settings] to allow 3rd party apps to be run. For details see {{Bug|1090459}}.
+#* [http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows Create a new Firefox profile.]
-#* If you are running Mac OS 10.12 Sierra or later, Apple removed the user interface for running unsigned applications. So, you can test the try build by opening a Terminal window (Applications->Utilities->Terminal.app) and typing: "sudo spctl --master-disable". You will have to enter your system password. Be sure to type "sudo spctl --master-enable" when you are done, to reset back to the regular protection. For details see {{Bug|1352203}}.
+#* For more information about using a separate profile for testing, refer to the knowledge base articles:
+#** [http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles Profile Manager]
+#** [https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean#w_corrupted-certificate-store Manually restore the security certificate settings] -- only perform as last resort.
+# When you restart Firefox, be sure to use the test build that you just downloaded and installed. It will have a different name, like "Nightly".
+#* If you are testing on a Mac OS you may need to:
+#** [https://it.uoregon.edu/fix-security-settings Change the Gatekeeper settings] to allow 3rd party apps to be run. For details see {{Bug|1090459}}.
+#** Open a Terminal window (Applications->Utilities->Terminal.app) and type: "sudo spctl --master-disable". You will have to enter your system password. Be sure to type "sudo spctl --master-enable" when you are done, to reset back to the regular protection. For details see {{Bug|1352203}}.
 # Check that your root certificate is included and the trust bits set correctly.
 #* Open the Options/Preferences window:
-#** On Mac: Pull down the Firefox menu (or name of the test build, e.g Nightly) and select Preferences...
+#** Pull down the Firefox menu (or name of the test build, e.g Nightly) and select Preferences...
 #* Select Privacy & Security
 #* Scroll down to the 'Certificates ' section
@@ Line 45: / Line 52: @@
 #* Select Authorities
 #* Find your root certificate and confirm that it is marked as "Builtin Object Token" in the Security Device column.
-#* Click on your root certificate to highlight it, then click on “Edit Trust…”  to verify that the correct trust bits are checked.
+#* Click on your root certificate to highlight it, then click on "View..." to confirm the correct certificates (check Serial Number and Fingerprints), and then “Edit Trust…”  to verify that the correct trust bits are checked.
-# Browse to websites that have SSL certs that chain up to this root cert. The appropriate UI should appear indicating it is a secure website. Click on the lock and View Certificate, to see details.
+# Browse to websites that have TLS server certificates that chain up to this root cert. The appropriate UI should appear indicating it is a secure website. Click on the lock to view certificate details (">", "More Information", "View Certificate").
+#* Note: EV-enablement is done in a separate bug, after the root has been included. So you will not see EV treatment during this testing.
 # Comment in the bug to indicate your testing results.
-Note: EV-enablement is done in a separate bug, after the root has been included.
 == Common CA Database ==
@@ Line 56: / Line 62: @@
 CAs are required to:
 * Annually provide public-facing statement(s) of attestation of their conformance to the stated verification requirements.
-* Notify Mozilla when its policies and business practices change in regards to verification procedures for issuing certificates, when the [[CA:RootTransferPolicy|ownership control of the CA’s certificate(s) changes]], or when ownership control of the CA’s operations changes.
+* Notify Mozilla when its policies and business practices change in regard to verification procedures for issuing certificates, when the [[CA:RootTransferPolicy|ownership control of the CA’s certificate(s) changes]], or when ownership control of the CA’s operations changes.
 * Ensure that Mozilla has their current [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|contact information]].
-Additionally, CAs must maintain their data in the [http://ccadb.org/ Common CA Database] about:
+Additionally, CAs must maintain their data in the [https://ccadb.org Common CA Database] about:
-* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained via EKU and name constraints.
+* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained via EKU.
-* Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained via EKU and name constraints.
+* Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained via EKU.