Mozilla

CA Program

Case Information

Subject
Root Inclusion For Example CA Owner
Link to Bugzilla Bug
Case Number
00000341
Case Record Type
CA Root Inclusion Request
CA Owner/Certificate Name
Example CA Owner
Request Status
Initial Request Received

CA Address Information

Street
City
State/Province
Zip/Postal Code
Country

General information about CA's associated organization

CA Email Alias 1
 
CA Owner Information Verified?
Not Verified
Company Website
https://URL to company website
Organizational Type
 
Geographic Focus
Country or geographic region where CA typically sells certs.
Primary Market / Customer Base
Which types of customers does the CA serve?
Are there particular vertical market segments in which it operates?
Does the CA focus its activities on a particular country or other geographic region?
Recognized CAA Domains
Domain names that the CA recognizes in Certification Authority Authorization (CAA) "issue" and "issuewild" records as permitting it to issue. Comma-separated list.
Problem Reporting Mechanism
An email address (that the CA closely monitors) for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates.

CP/CPS and Audit Statements

Policy Documentation
Information about the CA's relevant documentation, such as the primary language the documents are provided in and which languages the documents are translated into.
According to Mozilla’s Root Store Policy, the CP/CPS documents must be publicly disclosed, available on the CA’s official website, reviewed and updated at least once every year, and translated into English.
CP/CPS Verified?
Not Verified
CA Document Repository
URL to where policy and practice documents can be found on the CA's website.
Certificate Policy (Link)
Certification Practice Statement (Link)
Other Relevant Documents
Auditor
 
Auditor Verified?
Not Verified
Auditor Location
 
Standard Audit Statement (Link)
Standard Audit Verified?
Not Verified
Standard Audit Type
 
Standard Audit Deviation
false
Standard Audit Statement Date
 
Standard Audit Comments
Standard Audit Period Start Date
 
Standard Audit ALV Comments
Standard Audit Period End Date
 
BR Audit Statement (Link)
BR Audit Verified?
Not Verified
BR Audit Type
 
BR Audit Deviation
false
BR Audit Statement Date
 
BR Audit Comments
BR Audit Period Start Date
 
BR Audit ALV Comments
BR Audit Period End Date
 
EV SSL Audit Statement (Link)
EV SSL Audit Verified?
Not Verified
EV SSL Audit Type
 
EV SSL Audit Deviation
false
EV SSL Audit Statement Date
 
EV SSL Audit Comments
EV SSL Audit Period Start Date
 
EV SSL Audit ALV Comments
EV SSL Audit Period End Date
 

Required and Recommended Practices

BR Self Assessment
https://wiki.mozilla.org/CA/BR_Self-Assessment -- URL to the CA's latest BR Self Assessment
Required Practices
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
Required Practices Verified?
Not Verified
CA's Response to Required Practices
CP/CPS section numbers addressing each of the items listed in
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
1. Publicly Available CP and CPS:
1.1 Revision Table, updated annually:
1.2 CAA Domains listed in CP/CPS:
1.3 BR Commitment to Comply statement in CP/CPS:
1.4 CP/CPS Structured According to RFC 3647, appropriate use of 'No Stipulation':
2. Audit Criteria:
2.1 Complete Audit History:
Root key generation report, any point in time audits, all period of time audits
3. Revocation of Compromised Certificates:
4. Verifying Domain Name Ownership:
4.1 Baseline Requirements:
4.2 WHOIS:
4.3 Email Challenge-Response:
5. Verifying Email Address Control:
6. DNS names go in SAN:
7. OCSP:
- OCSP SHALL NOT respond "Good" for unissued certs:
8. Network Security Controls:

Forbidden and Potentially Problematic Practices

Forbidden Practices
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
Forbidden Practices Verified?
Not Verified
CA's Response to Forbidden Practices
CP/CPS section numbers addressing each of the items listed in
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
1. Long-lived Certificates:
2. Non-Standard Email Address Prefixes for Domain Ownership Validation:
3. Issuing End Entity Certificates Directly From Roots:
4. Distributing Generated Private Keys in PKCS#12 Files:
5. Certificates Referencing Local Names or Private IP Addresses:
6. Issuing SSL Certificates for .int Domains:
7. OCSP Responses Signed by a Certificate Under a Different Root:
8. Issuance of SHA-1 Certificates:
9. Delegation of Domain / Email Validation to Third Parties:
Root Case Record # 1

Root Case Information

Root Certificate Name
Example Root Case
Root Case No
R00000691
Request Status
Initial Request Received
Case Number
00000341

Certificate Data Extracted from PEM

Subject
Issuer
Valid From
Valid To
Certificate Serial Number
SHA-1 Fingerprint
SHA-256 Fingerprint
Signature Hash Algorithm
 
Public Key Algorithm
 
SPKI SHA256
Subject + SPKI SHA256

Audits that apply to this Root Certificate

Standard Audit
Checked
Applicable Audits Verified?
Not Verified
BR Audit
Not Checked
EV SSL Audit
Not Checked

Application Information

Explanation
Explain why this root cert needs to be included in the root store, rather than being signed by another CA’s root certificate that is already included.
Application Information Verified?
Not Verified
Role
Explain the unique function of this root, especially if requesting inclusion of multiple roots.
Root Certificate Download URL
Public URL through which the CA certificate can be directly downloaded.

Mozilla Fields

Mozilla Trust Bits
Email; Websites
Mozilla Fields Verified?
Not Verified
SSL Validation Type
DV; OV; EV
Mozilla EV Policy OID(s)
2.23.140.1.1
https://wiki.mozilla.org/CA/EV_Processing_for_CAs
Unless the CA already has a CA-specific OID enabled in Firefox, Mozilla strongly recommends that CAs use the standard CA/Browser Forum EV OID (2.23.140.1.1).
Mozilla Applied Constraints
Mozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CAs should consider if such constraints may be applied to their root certs.

CA Hierarchy Information

Cross-Signed by another Root Cert?
Not Checked
PKI Hierarchy Verified?
Not Verified
Has Externally Operated SubCAs?
Not Checked
CP/CPS allows Ext Operated SubCAs?
Not Checked
Has External Registration Authorities?
Not Checked
CP/CPS allows External RAs?
Not Checked
Description of PKI Hierarchy
URL and/or Description of this PKI Hierarchy.
Provide details related to any of the check-boxes above that are selected.

Add records for the existing intermediate certs to the CCADB as described here:
https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data

If Mozilla accepts and includes your root certificate, then we have to assume that we also accept any of your future sub-CAs and their sub-CAs. Therefore, the selection criteria for your sub-CAs and their sub-CAs will be a critical decision factor. As well as the documentation and auditing of operations requirements that you place on your sub-CAs and their sub-CAs.

If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the Subordinate CA Checklist in a separate document.
https://wiki.mozilla.org/CA/Subordinate_CA_Checklist
Constraints on External SubCAs and RAs
Describe constraints on external subordinate CAs and RAs.

As per section 5.3 of Mozilla's Root Store Policy, provide the required data for all of your non-technically-constrained subordinate CA certificates that chain up to this root certificate.
This data may be provided as follows:
- If your CA has access to the CCADB, then you may provide this information directly in the CCADB.
- Otherwise, provide this information in your Bugzilla Bug.

Test Websites or Example Cert

Test Website - Valid
Test Websites Verified?
Not Verified
Test Website - Expired
Test Website - Revoked
Test Notes
If not requesting the Websites trust bit, then provide an example cert that chains up to this root. If requesting Websites trust bit provide 3 URLs to 3 test websites (valid, expired, revoked) whose TLS/SSL cert chains up to this root. Make sure you test your three ‘Test Websites’ in Firefox, by importing the root cert: https://wiki.mozilla.org/PSM:Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate SSL servers are expected to send out the intermediate CA certificates together with their own certificates. Certificate authorities MUST advise their subscribers that all intermediate certificates should be installed in the servers containing the dependent subscriber certificates.

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested
Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.
Test Results Verified?
Not Verified
CA/Browser Forum Lint Test
Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate any of the CA/Browser Forum Baseline Requirements (BRs). BR Lint Test: https://github.com/awslabs/certlint Mozilla will check that the CA is not issuing certificates that violate any of the BRs by using crt.sh on the root and subordinate CAs via: https://crt.sh/?caid=<CA ID>&opt=cablint,zlint,x509lint&minNotBefore=2014-01-01 and/or The Lint tests in https://crt.sh/?a=1
Test Website Lint Test
Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate the X.509 rules. X.509 Lint Test: https://github.com/kroeckx/x509lint https://wiki.mozilla.org/CA:TestErrors -- Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above.
EV Tested
If EV treatment is being requested, then provide successful output from EV Testing as described here https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version