|Print this page|
|Subject||Root Inclusion For Example CA Owner|
|Case Number||00000341||Case Record Type||CA Root Inclusion Request|
|CA Owner/Certificate Name||Example CA Owner||Request Status||Initial Request Received|
General information about CA's associated organization
|CA Owner Information Verified?||Not Verified|
|https://URL to company website|
|Organizational Type||Private Corporation; Public Corporation; Government Agency; Commercial Organization; Non-Profit Organization; Academic Institution; Consortium; NGO|
|Geographic Focus||Country or geographic region where CA typically sells certs.|
|Primary Market / Customer Base||Which types of customers does the CA serve?
Are there particular vertical market segments in which it operates?
Does the CA focus its activities on a particular country or other geographic region?
|Recognized CAA Domains||Domain names that the CA recognizes in Certification Authority Authorization (CAA) "issue" and "issuewild" records as permitting it to issue. Comma-separated list.|
|Problem Reporting Mechanism||An email address (that the CA closely monitors) for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates.|
CP/CPS and Audit Statements
|Policy Documentation||Information about the CA's relevant documentation, such as the primary language the documents are provided in and which languages the documents are translated into.
According to Mozilla’s Root Store Policy, the CP/CPS documents must be publicly disclosed, available on the CA’s official website, reviewed and updated at least once every year, and translated into English.
|CP/CPS Verified?||Not Verified|
|CA Document Repository||URL to where policy and practice documents can be found on the CA's website.|
|Other Relevant Documents|
|Auditor||Auditor Verified?||Not Verified|
|Standard Audit Statement (Link)||Standard Audit Verified?||Not Verified|
|Standard Audit Type||Standard Audit Deviation|
|Standard Audit Statement Date||Standard Audit Comments|
|Standard Audit Period Start Date||Standard Audit ALV Comments|
|Standard Audit Period End Date|
|BR Audit Statement (Link)||BR Audit Verified?||Not Verified|
|BR Audit Type||BR Audit Deviation|
|BR Audit Statement Date||BR Audit Comments|
|BR Audit Period Start Date||BR Audit ALV Comments|
|BR Audit Period End Date|
|EV SSL Audit Statement (Link)||EV SSL Audit Verified?||Not Verified|
|EV SSL Audit Type||EV SSL Audit Deviation|
|EV SSL Audit Statement Date||EV SSL Audit Comments|
|EV SSL Audit Period Start Date||EV SSL Audit ALV Comments|
|EV SSL Audit Period End Date|
Required and Recommended Practices
|https://wiki.mozilla.org/CA/BR_Self-Assessment -- URL to the CA's latest BR Self Assessment|
|https://wiki.mozilla.org/CA/Required_or_Recommended_Practices||Required Practices Verified?||Not Verified|
|CA's Response to Required Practices||CP/CPS section numbers addressing each of the items listed in
1. Publicly Available CP and CPS:
1.1 Revision Table, updated annually:
1.2 CAA Domains listed in CP/CPS:
1.3 BR Commitment to Comply statement in CP/CPS:
1.4 CP/CPS Structured According to RFC 3647, appropriate use of 'No Stipulation':
2. Audit Criteria:
2.1 Complete Audit History:
3. Revocation of Compromised Certificates:
4. Verifying Domain Name Ownership:
4.1 Baseline Requirements:
4.3 Email Challenge-Response:
5. Verifying Email Address Control:
6. DNS names go in SAN:
- OCSP SHALL NOT respond "Good" for unissued certs:
8. Network Security Controls:
Forbidden and Potentially Problematic Practices
|https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices||Forbidden Practices Verified?||Not Verified|
|CA's Response to Forbidden Practices||CP/CPS section numbers addressing each of the items listed in
1. Long-lived Certificates:
2. Non-Standard Email Address Prefixes for Domain Ownership Validation:
3. Issuing End Entity Certificates Directly From Roots:
4. Distributing Generated Private Keys in PKCS#12 Files:
5. Certificates Referencing Local Names or Private IP Addresses:
6. Issuing SSL Certificates for .int Domains:
7. OCSP Responses Signed by a Certificate Under a Different Root:
8. Issuance of SHA-1 Certificates:
9. Delegation of Domain / Email Validation to Third Parties:
Root Case Information
|Root Certificate Name||Example Root Case||Root Case No||R00000691|
|Request Status||Initial Request Received||Case Number||00000341|
Certificate Data Extracted from PEM
|Certificate Serial Number|
|Signature Hash Algorithm|
|Public Key Algorithm|
|Subject + SPKI SHA256|
Audits that apply to this Root Certificate
|Standard Audit||Applicable Audits Verified?||Not Verified|
|EV SSL Audit|
|Explanation||Explain why this root cert needs to be included in the root store, rather than being signed by another CA’s root certificate that is already included.||Application Information Verified?||Not Verified|
|Role||Explain the unique function of this root, especially if requesting inclusion of multiple roots.|
|Public URL through which the CA certificate can be directly downloaded.|
|Mozilla Trust Bits||Email; Websites||Mozilla Fields Verified?||Not Verified|
|SSL Validation Type||DV; OV; EV|
|Mozilla EV Policy OID(s)||220.127.116.11.1
Unless the CA already has a CA-specific OID enabled in Firefox, Mozilla strongly recommends that CAs use the standard CA/Browser Forum EV OID (18.104.22.168.1).
|Mozilla Applied Constraints||Mozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CAs should consider if such constraints may be applied to their root certs.|
CA Hierarchy Information
|Cross-Signed by another Root Cert?||PKI Hierarchy Verified?||Not Verified|
|Has Externally Operated SubCAs?|
|CP/CPS allows Ext Operated SubCAs?|
|Has External Registration Authorities?|
|CP/CPS allows External RAs?|
|Description of PKI Hierarchy||URL and/or Description of this PKI Hierarchy.
Provide details related to any of the check-boxes above that are selected.
Add records for the existing intermediate certs to the CCADB as described here:
If Mozilla accepts and includes your root certificate, then we have to assume that we also accept any of your future sub-CAs and their sub-CAs. Therefore, the selection criteria for your sub-CAs and their sub-CAs will be a critical decision factor. As well as the documentation and auditing of operations requirements that you place on your sub-CAs and their sub-CAs.
If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the Subordinate CA Checklist in a separate document.
|Constraints on External SubCAs & RAs||Describe constraints on external subordinate CAs and RAs.
As per section 5.3 of Mozilla's Root Store Policy, provide the required data for all of your non-technically-constrained subordinate CA certificates that chain up to this root certificate.
This data may be provided as follows:
- If your CA has access to the CCADB, then you may provide this information directly in the CCADB.
- Otherwise, provide this information in your Bugzilla Bug.
Test Websites or Example Cert
|Test Websites Verified?||Not Verified|
|If not requesting the Websites trust bit, then provide an example cert that chains up to this root. If requesting Websites trust bit provide 3 URLs to 3 test websites (valid, expired, revoked) whose TLS/SSL cert chains up to this root. Make sure you test your three ‘Test Websites’ in Firefox, by importing the root cert: https://wiki.mozilla.org/PSM:Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate SSL servers are expected to send out the intermediate CA certificates together with their own certificates. Certificate authorities MUST advise their subscribers that all intermediate certificates should be installed in the servers containing the dependent subscriber certificates.|
Test Results (When Requesting the SSL/TLS Trust Bit)
|Revocation Tested||Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.||Test Results Verified?||Not Verified|
|CA/Browser Forum Lint Test||Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate any of the CA/Browser Forum Baseline Requirements (BRs).
BR Lint Test: https://github.com/awslabs/certlint
Mozilla will check that the CA is not issuing certificates that violate any of the BRs by using crt.sh on the root and subordinate CAs via:
The Lint tests in https://crt.sh/?a=1
|Test Website Lint Test||Provide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate the X.509 rules.
X.509 Lint Test: https://github.com/kroeckx/x509lint
https://wiki.mozilla.org/CA:TestErrors -- Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above.
|EV Tested||If EV treatment is being requested, then provide successful output from EV Testing as described here