Confirmed users
518
edits
CA/Application Instructions: Difference between revisions
m
Minor changes
m (deleted superfluous text) |
m (Minor changes) |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 8: | Line 8: | ||
#* Note that you must supply an email address when creating an account; this address will be made public, and will be used for communications, related to your request. | #* Note that you must supply an email address when creating an account; this address will be made public, and will be used for communications, related to your request. | ||
#* Be sure to use an email address that you regularly monitor, because all communication regarding the request will be sent to this email address. | #* Be sure to use an email address that you regularly monitor, because all communication regarding the request will be sent to this email address. | ||
# [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product= | # [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=CA%20Program&short_desc=Add%20%5Byour%20CA%27s%20name%5D%20root%20certificate%28s%29 Create a new bug report] corresponding to your request. | ||
#* https://bugzilla.mozilla.org/enter_bug.cgi | #* https://bugzilla.mozilla.org/enter_bug.cgi | ||
#* Product: | #* Product: CA Program | ||
#* Component: CA Certificate Root Program | #* Component: CA Certificate Root Program | ||
#* | #* Type: task | ||
#* Summary: Add [your CA's name] root certificate(s) | #* Summary: Add [your CA's name] root certificate(s) | ||
#* Do NOT select the | #* Do NOT select the checkboxes to restrict visibility, such as making it confidential or marking it as a security bug. All information that is submitted for root inclusion and update requests must be publicly available. | ||
# Provide all | # Provide all [[CA/Information_Checklist|required information.]] | ||
#* | #* If your CA does not yet have access to the CCADB, then you may request access here: https://ccadb.org/cas/request-access | ||
#* [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] | #* '''[[CA/Information_Checklist#Create_a_Root_Inclusion_Case|Create a Root Inclusion Case in the CCADB]]''' - [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] | ||
#* IMPORTANT: Whenever you update data in your Root Inclusion Case in the CCADB, be sure to add a comment to your Bugzilla Bug to let folks know about the new/updated information. | |||
# Watch for email from bugzilla-daemon@mozilla.org containing additional requests for information. | # Watch for email from bugzilla-daemon@mozilla.org containing additional requests for information. | ||
#* It is recommended that you add bugzilla-daemon@mozilla.org to your email contacts so that notifications of updates to your bug don't get filtered into your SPAM folder. | #* It is recommended that you add bugzilla-daemon@mozilla.org to your email contacts so that notifications of updates to your bug don't get filtered into your SPAM folder. | ||
IMPORTANT: Note that all information submitted to our Bugzilla system is publicly available to anyone on the Internet. Please do not include proprietary or confidential information in your request. If you wish to discuss confidential or sensitive matters, please do so via private email to certificates@mozilla.org. Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available. | |||
IMPORTANT: Note that all information submitted to our Bugzilla system is publicly available to anyone on the Internet. Please do not include proprietary or confidential information in your request. If you wish to discuss confidential or sensitive matters, please do so via private email to certificates@mozilla.org. | |||
== Test == | == Test == | ||
| Line 55: | Line 53: | ||
#* Find your root certificate and confirm that it is marked as "Builtin Object Token" in the Security Device column. | #* Find your root certificate and confirm that it is marked as "Builtin Object Token" in the Security Device column. | ||
#* Click on your root certificate to highlight it, then click on "View..." to confirm the correct certificates (check Serial Number and Fingerprints), and then “Edit Trust…” to verify that the correct trust bits are checked. | #* Click on your root certificate to highlight it, then click on "View..." to confirm the correct certificates (check Serial Number and Fingerprints), and then “Edit Trust…” to verify that the correct trust bits are checked. | ||
# Browse to websites that have | # Browse to websites that have TLS server certificates that chain up to this root cert. The appropriate UI should appear indicating it is a secure website. Click on the lock to view certificate details (">", "More Information", "View Certificate"). | ||
#* Note: EV-enablement is done in a separate bug, after the root has been included. So you will not see EV treatment during this testing. | #* Note: EV-enablement is done in a separate bug, after the root has been included. So you will not see EV treatment during this testing. | ||
# Comment in the bug to indicate your testing results. | # Comment in the bug to indicate your testing results. | ||
| Line 64: | Line 62: | ||
CAs are required to: | CAs are required to: | ||
* Annually provide public-facing statement(s) of attestation of their conformance to the stated verification requirements. | * Annually provide public-facing statement(s) of attestation of their conformance to the stated verification requirements. | ||
* Notify Mozilla when its policies and business practices change in | * Notify Mozilla when its policies and business practices change in regard to verification procedures for issuing certificates, when the [[CA:RootTransferPolicy|ownership control of the CA’s certificate(s) changes]], or when ownership control of the CA’s operations changes. | ||
* Ensure that Mozilla has their current [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|contact information]]. | * Ensure that Mozilla has their current [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|contact information]]. | ||
Additionally, CAs must maintain their data in the [ | Additionally, CAs must maintain their data in the [https://ccadb.org Common CA Database] about: | ||
* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained via EKU | * All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained via EKU. | ||
* Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained via EKU | * Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained via EKU. | ||