Confirmed users, Administrators
5,526
edits
CA:SalesforceCommunity: Difference between revisions
Jump to navigation
Jump to search
Change accurance of CA Community in Salesforce to CCADB
m (added link) |
(Change accurance of CA Community in Salesforce to CCADB) |
||
| Line 1: | Line 1: | ||
= CA | = Common CA Database = | ||
[[CA:Overview|Mozilla's CA Program]] has its own instance of [https://www.salesforce.com/products/ Salesforce] for managing the CA Program data. | [[CA:Overview|Mozilla's CA Program]] has its own instance of [https://www.salesforce.com/products/ Salesforce] for managing the CA Program data. This is referred to as the Common CA Database (CCADB), and is also known as the CA Community in Salesforce. | ||
The | The CCADB enables CAs to directly provide the data for all of the [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|publicly disclosed and audited subordinate CAs]] chaining up to root certificates in Mozilla's program, and to also directly provide data about their [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|revoked intermediate certificates]]. A [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for each [[CA:IncludedCAs|included CA]] will be given a [https://www.salesforce.com/communities/features/ Salesforce CA Community]license, so that each of the CAs in Mozilla's program can input, access, and update their intermediate certificate data directly in SalesForce. | ||
Mozilla plans to add automation that will use the intermediate certificate data in Salesforce to create a [https://en.wikipedia.org/wiki/Whitelist whitelist] of non-technically-constrained intermediate certificates chaining up to root certificates in Mozilla's program. Mozilla also plans to add automation to use the revoked intermediate certificate data in Salesforce to update [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL]. | Mozilla plans to add automation that will use the intermediate certificate data in Salesforce to create a [https://en.wikipedia.org/wiki/Whitelist whitelist] of non-technically-constrained intermediate certificates chaining up to root certificates in Mozilla's program. Mozilla also plans to add automation to use the revoked intermediate certificate data in Salesforce to update [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL]. | ||
| Line 9: | Line 9: | ||
== CA Responsibilities == | == CA Responsibilities == | ||
With respect to the CA | With respect to the Common CA Database (CCADB), here is what Mozilla requires of CAs: | ||
# [[CA:SalesforceCommunity#Login_to_CA_Community_in_Salesforce|Login to the | # [[CA:SalesforceCommunity#Login_to_CA_Community_in_Salesforce|Login to the CCADB]] on a regular basis to ensure that the information for your CA is current and accurate. | ||
#* CAs must enter the data corresponding to their [[CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F|non-technically-constrained intermediate certificates]] before those intermediate certificates begin issuing publicly-trusted certificates. See details below. | #* CAs must enter the data corresponding to their [[CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F|non-technically-constrained intermediate certificates]] before those intermediate certificates begin issuing publicly-trusted certificates. See details below. | ||
#* If information about a root certificate needs to be updated, the CA should contact the corresponding root store operator, because only root store operators may [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|modify root certificate data]] in the | #* If information about a root certificate needs to be updated, the CA should contact the corresponding root store operator, because only root store operators may [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|modify root certificate data]] in the CCADB. | ||
#* If contact information needs to be updated, the CA should contact one of the participating root store operators, because only root store operators may [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|modify contact data]] in the | #* If contact information needs to be updated, the CA should contact one of the participating root store operators, because only root store operators may [[CA:SalesforceCommunity#Data_that_CAs_can_Add.2FModify|modify contact data]] in the CCADB. | ||
# CAs must '''enter and maintain''' the records corresponding to their non-technically-constrained intermediate certificates as described in this page. | # CAs must '''enter and maintain''' the records corresponding to their non-technically-constrained intermediate certificates as described in this page. | ||
#* [[CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F|Which intermediate certificates to add]] | #* [[CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F|Which intermediate certificates to add]] | ||
| Line 27: | Line 27: | ||
A [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for each [[CA:IncludedCAs|included CA]] will be given a [https://www.salesforce.com/communities/features/ Salesforce CA Community]license. We plan to roll this out to all [[CA:IncludedCAs|included CAs]] by the end of December, 2015. After December, 2015, if you believe that you should have a Salesforce CA Community license but you have not received one, then please send email to [mailto:certificates@mozilla.org certificates@mozilla.org] with your name and the name of the CA you represent. | A [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for each [[CA:IncludedCAs|included CA]] will be given a [https://www.salesforce.com/communities/features/ Salesforce CA Community]license. We plan to roll this out to all [[CA:IncludedCAs|included CAs]] by the end of December, 2015. After December, 2015, if you believe that you should have a Salesforce CA Community license but you have not received one, then please send email to [mailto:certificates@mozilla.org certificates@mozilla.org] with your name and the name of the CA you represent. | ||
= Login to CA | = Login to Common CA Database = | ||
# https://mozillacacommunity.force.com/ | # https://mozillacacommunity.force.com/ | ||
# Enter your Username; the email address for which your Community User License was issued | # Enter your Username; the email address for which your Community User License was issued | ||
| Line 35: | Line 35: | ||
If you are the [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for an [[CA:IncludedCAs|included CA]], you may [[CA:SalesforceCommunity#Request_a_license|request a CA Community Salesforce license]] or request that your password be reset by following the instructions [[CA:SalesforceCommunity#Request_a_license|above]]. | If you are the [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for an [[CA:IncludedCAs|included CA]], you may [[CA:SalesforceCommunity#Request_a_license|request a CA Community Salesforce license]] or request that your password be reset by following the instructions [[CA:SalesforceCommunity#Request_a_license|above]]. | ||
= Navigate the CA | = Navigate the Common CA Database = | ||
Upon initial login you will see a row with three tabs: | Upon initial login you will see a row with three tabs: | ||
# CA Owners/Certificates | # CA Owners/Certificates | ||
| Line 78: | Line 78: | ||
* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | * All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | ||
** Including every intermediate certificate (chaining up to a root certificate in Mozilla's program with the Websites trust bit enabled) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. | ** Including every intermediate certificate (chaining up to a root certificate in Mozilla's program with the Websites trust bit enabled) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. | ||
** Intermediate certificates are considered to be technically constrained, and do not need to be added to the | ** Intermediate certificates are considered to be technically constrained, and do not need to be added to the CCADB if: | ||
*** The intermediate certificate has the Extended Key Usage (EKU) extension and the EKU does '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth; or | *** The intermediate certificate has the Extended Key Usage (EKU) extension and the EKU does '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth; or | ||
*** The EKU extension in the intermediate certificate includes the anyExtendedKeyUsage or id-kp-serverAuth KeyPurposeIds, '''and''' the intermediate certificate includes the Name Constraints extension as described in section 7.1.5 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements]; or | *** The EKU extension in the intermediate certificate includes the anyExtendedKeyUsage or id-kp-serverAuth KeyPurposeIds, '''and''' the intermediate certificate includes the Name Constraints extension as described in section 7.1.5 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum's Baseline Requirements]; or | ||
| Line 86: | Line 86: | ||
When the '''same exact intermediate certificate''' chains up to two included root certificates, the certificate data only needs to be included in Salesforce once. | When the '''same exact intermediate certificate''' chains up to two included root certificates, the certificate data only needs to be included in Salesforce once. | ||
* For root certificate (rootA) that is cross-signed by another included root certificate (rootB) that has the Websites trust bit enabled, the intermediate certificates chaining up to rootA only need to be entered into the | * For root certificate (rootA) that is cross-signed by another included root certificate (rootB) that has the Websites trust bit enabled, the intermediate certificates chaining up to rootA only need to be entered into the CCADB once. | ||
** The cross-certificates for rootA that are signed by rootB must be entered into Salesforce such that their records chain up to rootB. | ** The cross-certificates for rootA that are signed by rootB must be entered into Salesforce such that their records chain up to rootB. | ||
** If rootA is included and has the Websites trust bit enabled, then its intermediate certificates should be entered into Salesforce such that their records chain directly to rootA. | ** If rootA is included and has the Websites trust bit enabled, then its intermediate certificates should be entered into Salesforce such that their records chain directly to rootA. | ||
| Line 232: | Line 232: | ||
If the revocation of an intermediate certificate is due to a security concern, send email to security@mozilla.org. Otherwise, currently the way to notify Mozilla of an intermediate certificate revocation is to [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates submit a bug report] into the mozilla.org Bugzilla system. | If the revocation of an intermediate certificate is due to a security concern, send email to security@mozilla.org. Otherwise, currently the way to notify Mozilla of an intermediate certificate revocation is to [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates submit a bug report] into the mozilla.org Bugzilla system. | ||
In the future we plan to use the | In the future we plan to use the CCADB to track revocation of intermediate certificates. We plan to provide an automated system that will verify the revocation and take the appropriate action to get the intermediate certificate added to OneCRL. For now we ask CAs to provide both a Bugzilla Bug and enter the data into Salesforce. | ||
The best way to add revoked intermediate certificate data to Salesforce is to first add the [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce|intermediate certificate record]], and then mark the record as Revoked. This is the way all intermediate certificate revocations must be entered unless the certificate was [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. | The best way to add revoked intermediate certificate data to Salesforce is to first add the [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce|intermediate certificate record]], and then mark the record as Revoked. This is the way all intermediate certificate revocations must be entered unless the certificate was [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. | ||
To add a revoked intermediate certificate, or to mark an intermediate certificate in an existing record as revoked: | To add a revoked intermediate certificate, or to mark an intermediate certificate in an existing record as revoked: | ||
# [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce|Add the intermediate certificate]] to the | # [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce|Add the intermediate certificate]] to the CCADB, if it has not already been added | ||
#* Search for the root certificate that signed the revoked intermediate certificate | #* Search for the root certificate that signed the revoked intermediate certificate | ||
#* Click on the "New Intermediate Cert" button at the top of the page showing the root certificate information | #* Click on the "New Intermediate Cert" button at the top of the page showing the root certificate information | ||