Confirmed users
518
edits
CA/Application Instructions: Difference between revisions
m
Minor changes
(added clarification) |
m (Minor changes) |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 8: | Line 8: | ||
#* Note that you must supply an email address when creating an account; this address will be made public, and will be used for communications, related to your request. | #* Note that you must supply an email address when creating an account; this address will be made public, and will be used for communications, related to your request. | ||
#* Be sure to use an email address that you regularly monitor, because all communication regarding the request will be sent to this email address. | #* Be sure to use an email address that you regularly monitor, because all communication regarding the request will be sent to this email address. | ||
# [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product= | # [https://bugzilla.mozilla.org/enter_bug.cgi?&component=CA%20Certificate%20Root%20Program&product=CA%20Program&short_desc=Add%20%5Byour%20CA%27s%20name%5D%20root%20certificate%28s%29 Create a new bug report] corresponding to your request. | ||
#* https://bugzilla.mozilla.org/enter_bug.cgi | #* https://bugzilla.mozilla.org/enter_bug.cgi | ||
#* Product: | #* Product: CA Program | ||
#* Component: CA Certificate Root Program | #* Component: CA Certificate Root Program | ||
#* Type: task | #* Type: task | ||
#* Summary: Add [your CA's name] root certificate(s) | #* Summary: Add [your CA's name] root certificate(s) | ||
#* Do NOT select the | #* Do NOT select the checkboxes to restrict visibility, such as making it confidential or marking it as a security bug. All information that is submitted for root inclusion and update requests must be publicly available. | ||
# Provide all | # Provide all [[CA/Information_Checklist|required information.]] | ||
#* If your CA does not yet have access to the CCADB, then you may request access here: https://ccadb.org/cas/request-access | #* If your CA does not yet have access to the CCADB, then you may request access here: https://ccadb.org/cas/request-access | ||
#* '''[[CA/Information_Checklist#Create_a_Root_Inclusion_Case|Create a Root Inclusion Case in the CCADB]]''' - [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] | #* '''[[CA/Information_Checklist#Create_a_Root_Inclusion_Case|Create a Root Inclusion Case in the CCADB]]''' - [https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000341 Example] | ||
| Line 54: | Line 53: | ||
#* Find your root certificate and confirm that it is marked as "Builtin Object Token" in the Security Device column. | #* Find your root certificate and confirm that it is marked as "Builtin Object Token" in the Security Device column. | ||
#* Click on your root certificate to highlight it, then click on "View..." to confirm the correct certificates (check Serial Number and Fingerprints), and then “Edit Trust…” to verify that the correct trust bits are checked. | #* Click on your root certificate to highlight it, then click on "View..." to confirm the correct certificates (check Serial Number and Fingerprints), and then “Edit Trust…” to verify that the correct trust bits are checked. | ||
# Browse to websites that have | # Browse to websites that have TLS server certificates that chain up to this root cert. The appropriate UI should appear indicating it is a secure website. Click on the lock to view certificate details (">", "More Information", "View Certificate"). | ||
#* Note: EV-enablement is done in a separate bug, after the root has been included. So you will not see EV treatment during this testing. | #* Note: EV-enablement is done in a separate bug, after the root has been included. So you will not see EV treatment during this testing. | ||
# Comment in the bug to indicate your testing results. | # Comment in the bug to indicate your testing results. | ||
| Line 63: | Line 62: | ||
CAs are required to: | CAs are required to: | ||
* Annually provide public-facing statement(s) of attestation of their conformance to the stated verification requirements. | * Annually provide public-facing statement(s) of attestation of their conformance to the stated verification requirements. | ||
* Notify Mozilla when its policies and business practices change in | * Notify Mozilla when its policies and business practices change in regard to verification procedures for issuing certificates, when the [[CA:RootTransferPolicy|ownership control of the CA’s certificate(s) changes]], or when ownership control of the CA’s operations changes. | ||
* Ensure that Mozilla has their current [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|contact information]]. | * Ensure that Mozilla has their current [[CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29|contact information]]. | ||
Additionally, CAs must maintain their data in the [ | Additionally, CAs must maintain their data in the [https://ccadb.org Common CA Database] about: | ||
* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained via EKU | * All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained via EKU. | ||
* Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained via EKU | * Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained via EKU. | ||