CA Program

Case Information

Root Inclusion For Example CA Owner
Link to Bugzilla Bug
Case Number
Case Record Type
CA Root Inclusion Request
CA Owner/Certificate Name
Example CA Owner
Request Status
Initial Request Received

CA Address Information

Zip/Postal Code

General information about CA's associated organization

CA Email Alias 1
CA Owner Information Verified?
Not Verified
Company Website
https://URL to company website
Organizational Type
Geographic Focus
Country or geographic region where CA typically sells certs.
Primary Market / Customer Base
Which types of customers does the CA serve?
Are there particular vertical market segments in which it operates?
Does the CA focus its activities on a particular country or other geographic region?
Recognized CAA Domains
Domain names that the CA recognizes in Certification Authority Authorization (CAA) "issue" and "issuewild" records as permitting it to issue. Comma-separated list.
Problem Reporting Mechanism
An email address (that the CA closely monitors) for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates.

Audit Statements

Auditor Verified?
Not Verified
Auditor Location
Standard Audit Statement (Link)
Standard Audit Verified?
Not Verified
Standard Audit Type
Standard Audit Deviation
Standard Audit Statement Date
Standard Audit Comments
Standard Audit Period Start Date
Standard Audit ALV Comments
Standard Audit Period End Date
BR Audit Statement (Link)
BR Audit Verified?
Not Verified
BR Audit Type
BR Audit Deviation
BR Audit Statement Date
BR Audit Comments
BR Audit Period Start Date
BR Audit ALV Comments
BR Audit Period End Date
EV SSL Audit Statement (Link)
EV SSL Audit Verified?
Not Verified
EV SSL Audit Type
EV SSL Audit Deviation
EV SSL Audit Statement Date
EV SSL Audit Comments
EV SSL Audit Period Start Date
EV SSL Audit ALV Comments
EV SSL Audit Period End Date

Policy Documents

Document Repository
URL to where policy and practice documents can be found on the CA's website.
Document Repository Description
Information about the CA's relevant documentation, such as the primary language the documents are provided in and which languages the documents are translated into.
According to Mozilla’s Root Store Policy, the CP/CPS documents must be publicly disclosed, available on the CA’s official website, reviewed and updated at least once every year, and translated into English.

Policy Document Record # 1

Document Type
Document Verified?
Not Verified
Document Last Updated Date
Associated Trust Bits
Secure Email; Server Authentication
Policy Identifiers
Additional Policy Identifiers;
Associated Root Certificates

Policy Document Record # 2

Document Type
Document Verified?
Not Verified
Document Last Updated Date
Associated Trust Bits
Secure Email; Server Authentication
Policy Identifiers
Additional Policy Identifiers;
Associated Root Certificates

Required and Recommended Practices

BR Self Assessment -- URL to the CA's latest BR Self Assessment
Required Practices
Required Practices Verified?
Not Verified
CA's Response to Required Practices
CP/CPS section numbers addressing each of the items listed in
1. Publicly Available CP and CPS:
1.1 Revision Table, updated annually:
1.2 CAA Domains listed in CP/CPS:
1.3 BR Commitment to Comply statement in CP/CPS:
1.4 CP/CPS Structured According to RFC 3647, appropriate use of 'No Stipulation':
2. Audit Criteria:
2.1 Complete Audit History:
Root key generation report, any point in time audits, all period of time audits
3. Revocation of Compromised Certificates:
4. Verifying Domain Name Ownership:
4.1 Baseline Requirements:
4.2 WHOIS:
4.3 Email Challenge-Response:
5. Verifying Email Address Control:
6. DNS names go in SAN:
7. OCSP:
- OCSP SHALL NOT respond "Good" for unissued certs:
8. Network Security Controls:

Forbidden and Potentially Problematic Practices

Forbidden Practices
Forbidden Practices Verified?
Not Verified
CA's Response to Forbidden Practices
CP/CPS section numbers addressing each of the items listed in
1. Long-lived Certificates:
2. Non-Standard Email Address Prefixes for Domain Ownership Validation:
3. Issuing End Entity Certificates Directly From Roots:
4. Distributing Generated Private Keys in PKCS#12 Files:
5. Certificates Referencing Local Names or Private IP Addresses:
6. Issuing SSL Certificates for .int Domains:
7. OCSP Responses Signed by a Certificate Under a Different Root:
8. Issuance of SHA-1 Certificates:
9. Delegation of Domain / Email Validation to Third Parties:
Root Case Record # 1

Root Case Information

Root Certificate Name
Example Root Case
Root Case No
Request Status
Initial Request Received
Case Number

Certificate Data Extracted from PEM

Valid From
Valid To
Certificate Serial Number
SHA-1 Fingerprint
SHA-256 Fingerprint
Signature Hash Algorithm
Public Key Algorithm
Subject + SPKI SHA256

Audits that apply to this Root Certificate

Standard Audit
Applicable Audits Verified?
Not Verified
BR Audit
Not Checked
EV SSL Audit
Not Checked

Application Information

Explain why this root cert needs to be included in the root store, rather than being signed by another CA’s root certificate that is already included.
Application Information Verified?
Not Verified
Explain the unique function of this root, especially if requesting inclusion of multiple roots.
Root Certificate Download URL
Public URL through which the CA certificate can be directly downloaded.

Mozilla Fields

Mozilla Trust Bits
Email; Websites
Mozilla Fields Verified?
Not Verified
SSL Validation Type
Mozilla EV Policy OID(s)
Unless the CA already has a CA-specific OID enabled in Firefox, Mozilla strongly recommends that CAs use the standard CA/Browser Forum EV OID (
Mozilla Applied Constraints
Mozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CAs should consider if such constraints may be applied to their root certs.

CA Hierarchy Information

Cross-Signed by another Root Cert?
Not Checked
PKI Hierarchy Verified?
Not Verified
Has Externally Operated SubCAs?
Not Checked
CP/CPS allows Ext Operated SubCAs?
Not Checked
Has External Registration Authorities?
Not Checked
CP/CPS allows External RAs?
Not Checked
Description of PKI Hierarchy
URL and/or Description of this PKI Hierarchy.
Provide details related to any of the check-boxes above that are selected.

Add records for the existing intermediate certs to the CCADB as described here:

If Mozilla accepts and includes your root certificate, then we have to assume that we also accept any of your future sub-CAs and their sub-CAs. Therefore, the selection criteria for your sub-CAs and their sub-CAs will be a critical decision factor. As well as the documentation and auditing of operations requirements that you place on your sub-CAs and their sub-CAs.

If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the Subordinate CA Checklist in a separate document.
Constraints on External SubCAs and RAs
Describe constraints on external subordinate CAs and RAs.

As per section 5.3 of Mozilla's Root Store Policy, provide the required data for all of your non-technically-constrained subordinate CA certificates that chain up to this root certificate.
This data may be provided as follows:
- If your CA has access to the CCADB, then you may provide this information directly in the CCADB.
- Otherwise, provide this information in your Bugzilla Bug.

Test Websites or Example Cert

Test Website - Valid
Test Websites Verified?
Not Verified
Test Website - Expired
Test Website - Revoked
Test Notes
If not requesting the Websites trust bit, then provide an example cert that chains up to this root. If requesting Websites trust bit provide 3 URLs to 3 test websites (valid, expired, revoked) whose TLS/SSL cert chains up to this root. Make sure you test your three ‘Test Websites’ in Firefox, by importing the root cert: SSL servers are expected to send out the intermediate CA certificates together with their own certificates. Certificate authorities MUST advise their subscribers that all intermediate certificates should be installed in the servers containing the dependent subscriber certificates.

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested
Test with make sure there aren't any errors.
Test Results Verified?
Not Verified
CA/Browser Forum Lint Test
Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate any of the CA/Browser Forum Baseline Requirements (BRs). BR Lint Test: Mozilla will check that the CA is not issuing certificates that violate any of the BRs by using on the root and subordinate CAs via:<CA ID>&opt=cablint,zlint,x509lint&minNotBefore=2014-01-01 and/or The Lint tests in
Test Website Lint Test
Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate the X.509 rules. X.509 Lint Test: -- Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above.
EV Tested
If EV treatment is being requested, then provide successful output from EV Testing as described here