Print this page
Case

:

Mozilla - CA Program

Case Information

 
SubjectRoot Inclusion For Example CA Owner
Case Number00000341Case Record TypeCA Root Inclusion Request
CA Owner/Certificate NameExample CA OwnerRequest StatusInitial Request Received

General information about CA's associated organization

 
CA Owner Information Verified?Not Verified
https://URL to company website
Organizational TypePrivate Corporation; Public Corporation; Government Agency; Commercial Organization; Non-Profit Organization; Academic Institution; Consortium; NGO
Geographic FocusCountry or geographic region where CA typically sells certs.
Primary Market / Customer BaseWhich types of customers does the CA serve?
Are there particular vertical market segments in which it operates?
Does the CA focus its activities on a particular country or other geographic region?
Recognized CAA DomainsDomain names that the CA recognizes in Certification Authority Authorization (CAA) "issue" and "issuewild" records as permitting it to issue. Comma-separated list.
Problem Reporting MechanismAn email address (that the CA closely monitors) for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates.

CP/CPS and Audit Statements

 
Policy DocumentationInformation about the CA's relevant documentation, such as the primary language the documents are provided in and which languages the documents are translated into.
According to Mozilla’s Root Store Policy, the CP/CPS documents must be publicly disclosed, available on the CA’s official website, reviewed and updated at least once every year, and translated into English.
CP/CPS Verified?Not Verified
CA Document RepositoryURL to where policy and practice documents can be found on the CA's website.
Other Relevant Documents
Auditor Auditor Verified?Not Verified
Auditor Location 
Standard Audit Statement (Link)Standard Audit Verified?Not Verified
Standard Audit Type Standard Audit DeviationNot Checked
Standard Audit Statement Date Standard Audit Comments
Standard Audit Period Start Date Standard Audit ALV Comments
Standard Audit Period End Date 
BR Audit Statement (Link)BR Audit Verified?Not Verified
BR Audit Type BR Audit DeviationNot Checked
BR Audit Statement Date BR Audit Comments
BR Audit Period Start Date BR Audit ALV Comments
BR Audit Period End Date 
EV SSL Audit Statement (Link)EV SSL Audit Verified?Not Verified
EV SSL Audit Type EV SSL Audit DeviationNot Checked
EV SSL Audit Statement Date EV SSL Audit Comments
EV SSL Audit Period Start Date EV SSL Audit ALV Comments
EV SSL Audit Period End Date 

Required and Recommended Practices

 
https://wiki.mozilla.org/CA/BR_Self-Assessment -- URL to the CA's latest BR Self Assessment
https://wiki.mozilla.org/CA/Required_or_Recommended_PracticesRequired Practices Verified?Not Verified
CA's Response to Required PracticesCP/CPS section numbers addressing each of the items listed in
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
1. Publicly Available CP and CPS:
1.1 Revision Table, updated annually:
1.2 CAA Domains listed in CP/CPS:
1.3 BR Commitment to Comply statement in CP/CPS:
1.4 CP/CPS Structured According to RFC 3647, appropriate use of 'No Stipulation':
2. Audit Criteria:
2.1 Complete Audit History:
3. Revocation of Compromised Certificates:
4. Verifying Domain Name Ownership:
4.1 Baseline Requirements:
4.2 WHOIS:
4.3 Email Challenge-Response:
5. Verifying Email Address Control:
6. DNS names go in SAN:
7. OCSP:
- OCSP SHALL NOT respond "Good" for unissued certs:
8. Network Security Controls:

Forbidden and Potentially Problematic Practices

 
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_PracticesForbidden Practices Verified?Not Verified
CA's Response to Forbidden PracticesCP/CPS section numbers addressing each of the items listed in
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
1. Long-lived Certificates:
2. Non-Standard Email Address Prefixes for Domain Ownership Validation:
3. Issuing End Entity Certificates Directly From Roots:
4. Distributing Generated Private Keys in PKCS#12 Files:
5. Certificates Referencing Local Names or Private IP Addresses:
6. Issuing SSL Certificates for .int Domains:
7. OCSP Responses Signed by a Certificate Under a Different Root:
8. Issuance of SHA-1 Certificates:
9. Delegation of Domain / Email Validation to Third Parties:
Root Case Record # 1

Root Case Information

 
Root Certificate NameExample Root CaseRoot Case NoR00000691
Request StatusInitial Request ReceivedCase Number00000341

Certificate Data Extracted from PEM

 
Subject
Issuer
Certificate Serial Number
SHA-1 Fingerprint
SHA-256 Fingerprint
Signature Hash Algorithm 
Public Key Algorithm 
SPKI SHA256
Subject + SPKI SHA256

Audits that apply to this Root Certificate

 
Standard AuditCheckedApplicable Audits Verified?Not Verified
BR AuditNot Checked
EV SSL AuditNot Checked

Application Information

 
ExplanationExplain why this root cert needs to be included in the root store, rather than being signed by another CA’s root certificate that is already included.Application Information Verified?Not Verified
RoleExplain the unique function of this root, especially if requesting inclusion of multiple roots.
Public URL through which the CA certificate can be directly downloaded.

Mozilla Fields

 
Mozilla Trust BitsEmail; WebsitesMozilla Fields Verified?Not Verified
SSL Validation TypeDV; OV; EV
Mozilla EV Policy OID(s)2.23.140.1.1
https://wiki.mozilla.org/CA/EV_Processing_for_CAs
Unless the CA already has a CA-specific OID enabled in Firefox, Mozilla strongly recommends that CAs use the standard CA/Browser Forum EV OID (2.23.140.1.1).
Mozilla Applied ConstraintsMozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CAs should consider if such constraints may be applied to their root certs.  

CA Hierarchy Information

 
Cross-Signed by another Root Cert?Not CheckedPKI Hierarchy Verified?Not Verified
Has Externally Operated SubCAs?Not Checked
CP/CPS allows Ext Operated SubCAs?Not Checked
Has External Registration Authorities?Not Checked
CP/CPS allows External RAs?Not Checked
Description of PKI HierarchyURL and/or Description of this PKI Hierarchy.
Provide details related to any of the check-boxes above that are selected.

Add records for the existing intermediate certs to the CCADB as described here:
https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data

If Mozilla accepts and includes your root certificate, then we have to assume that we also accept any of your future sub-CAs and their sub-CAs. Therefore, the selection criteria for your sub-CAs and their sub-CAs will be a critical decision factor. As well as the documentation and auditing of operations requirements that you place on your sub-CAs and their sub-CAs.

If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the Subordinate CA Checklist in a separate document.
https://wiki.mozilla.org/CA/Subordinate_CA_Checklist
Constraints on External SubCAs & RAsDescribe constraints on external subordinate CAs and RAs.

As per section 5.3 of Mozilla's Root Store Policy, provide the required data for all of your non-technically-constrained subordinate CA certificates that chain up to this root certificate.
This data may be provided as follows:
- If your CA has access to the CCADB, then you may provide this information directly in the CCADB.
- Otherwise, provide this information in your Bugzilla Bug.

Test Websites or Example Cert

 
Test Websites Verified?Not Verified
If not requesting the Websites trust bit, then provide an example cert that chains up to this root. If requesting Websites trust bit provide 3 URLs to 3 test websites (valid, expired, revoked) whose TLS/SSL cert chains up to this root. Make sure you test your three ‘Test Websites’ in Firefox, by importing the root cert: https://wiki.mozilla.org/PSM:Changing_Trust_Settings#Trusting_an_Additional_Root_Certificate SSL servers are expected to send out the intermediate CA certificates together with their own certificates. Certificate authorities MUST advise their subscribers that all intermediate certificates should be installed in the servers containing the dependent subscriber certificates.

Test Results (When Requesting the SSL/TLS Trust Bit)

 
Revocation TestedTest with http://certificate.revocationcheck.com/ make sure there aren't any errors.Test Results Verified?Not Verified
CA/Browser Forum Lint TestProvide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate any of the CA/Browser Forum Baseline Requirements (BRs).
BR Lint Test: https://github.com/awslabs/certlint

Mozilla will check that the CA is not issuing certificates that violate any of the BRs by using crt.sh on the root and subordinate CAs via:
https://crt.sh/?caid=<CA ID>&opt=cablint,zlint,x509lint&minNotBefore=2014-01-01
and/or
The Lint tests in https://crt.sh/?a=1
Test Website Lint TestProvide evidence that you have tested and verified that no certificates issued in this CA hierarchy violate the X.509 rules.
X.509 Lint Test: https://github.com/kroeckx/x509lint

https://wiki.mozilla.org/CA:TestErrors -- Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above.
EV TestedIf EV treatment is being requested, then provide successful output from EV Testing as described here
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version