Confirmed users, Administrators
5,526
edits
CA:SalesforceCommunity: Difference between revisions
Jump to navigation
Jump to search
Changinge occurrences of Salesforce to CCADB
(cleanup) |
(Changinge occurrences of Salesforce to CCADB) |
||
| Line 1: | Line 1: | ||
= Common CA Database = | = Common CA Database = | ||
[[CA:Overview|Mozilla's CA Program]] has its own instance of [https://www.salesforce.com/products/ Salesforce] for managing the CA Program data. This is referred to as the Common CA Database (CCADB), and | [[CA:Overview|Mozilla's CA Program]] has its own instance of [https://www.salesforce.com/products/ Salesforce] for managing the CA Program data. This is referred to as the Common CA Database (CCADB), and was previously known as the CA Community in Salesforce. | ||
The CCADB enables CAs to directly provide the data for all of the [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|publicly disclosed and audited subordinate CAs]] chaining up to root certificates in Mozilla's program, and to also directly provide data about their [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|revoked intermediate certificates]]. A [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for each [[CA:IncludedCAs|included CA]] will be given a [https://www.salesforce.com/communities/features/ | The CCADB enables CAs to directly provide the data for all of the [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|publicly disclosed and audited subordinate CAs]] chaining up to root certificates in Mozilla's program, and to also directly provide data about their [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|revoked intermediate certificates]]. A [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for each [[CA:IncludedCAs|included CA]] will be given a [https://www.salesforce.com/communities/features/ CCADB] license, so that each of the CAs in Mozilla's program can input, access, and update their intermediate certificate data directly in the CCADB. | ||
Mozilla plans to add automation that will use the intermediate certificate data in | Mozilla plans to add automation that will use the intermediate certificate data in the CCADB to create a [https://en.wikipedia.org/wiki/Whitelist whitelist] of non-technically-constrained intermediate certificates chaining up to root certificates in Mozilla's program. Mozilla also plans to add automation to use the revoked intermediate certificate data in the CCADB to update [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL]. | ||
We will be publishing automatically-generated reports for the intermediate certificate data, and our goal is to make it as easy as possible for each CA to enter and maintain this data. | We will be publishing automatically-generated reports for the intermediate certificate data, and our goal is to make it as easy as possible for each CA to enter and maintain this data. | ||
| Line 25: | Line 25: | ||
= Request a license = | = Request a license = | ||
A [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for each [[CA:IncludedCAs|included CA]] will be given a [https://www.salesforce.com/communities/features/ | A [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for each [[CA:IncludedCAs|included CA]] will be given a [https://www.salesforce.com/communities/features/ CCADB] license. If you believe that you should have a CCADB license but you have not received one, then please send email to [mailto:certificates@mozilla.org certificates@mozilla.org] with your name and the name of the CA you represent. | ||
= Login to Common CA Database = | = Login to Common CA Database = | ||
| Line 33: | Line 33: | ||
# Click on the "Log in to CA Community" button | # Click on the "Log in to CA Community" button | ||
If you are the [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for an [[CA:IncludedCAs|included CA]], you may [[CA:SalesforceCommunity#Request_a_license|request a | If you are the [[CA:Information_checklist#CA_Primary_Point_of_Contact_.28POC.29|Primary Point of Contact]] for an [[CA:IncludedCAs|included CA]], you may [[CA:SalesforceCommunity#Request_a_license|request a CCADB license]] or request that your password be reset by following the instructions [[CA:SalesforceCommunity#Request_a_license|above]]. | ||
= Navigate the Common CA Database = | = Navigate the Common CA Database = | ||
| Line 48: | Line 48: | ||
Important Notes: | Important Notes: | ||
* Each Owner/Certificate record has a "CA Owner/Certificate Name" field. For a certificate record, the value of this field is usually the Certificate '''Subject''' Common Name of the certificate. For a CA Owner record, this field displays the CA's name. (We cannot change the title of the field in the page, due to the way we are using it in | * Each Owner/Certificate record has a "CA Owner/Certificate Name" field. For a certificate record, the value of this field is usually the Certificate '''Subject''' Common Name of the certificate. For a CA Owner record, this field displays the CA's name. (We cannot change the title of the field in the page, due to the way we are using it in the CCADB.) | ||
* Each Certificate record has a "Parent CA Owner/Certificate" field. For an intermediate certificate record the value of the field should be the Certificate '''Issuer''' Common Name. For a root certificate record the value of the field will be the name of the CA owner. (We cannot change the title of the field in the page, due to the way we are using it | * Each Certificate record has a "Parent CA Owner/Certificate" field. For an intermediate certificate record the value of the field should be the Certificate '''Issuer''' Common Name. For a root certificate record the value of the field will be the name of the CA owner. (We cannot change the title of the field in the page, due to the way we are using it.) | ||
* CA Community Users cannot modify the records for: Owner, Root Certificate, and Contact. Only the [[Modules/All#CA_Certificates|CA Certificates Module Owner and Peers]] can modify these records. | * CA Community Users cannot modify the records for: Owner, Root Certificate, and Contact. Only the [[Modules/All#CA_Certificates|CA Certificates Module Owner and Peers]] can modify these records. | ||
* CA Community Users can only modify the intermediate certificate records for their CA. | * CA Community Users can only modify the intermediate certificate records for their CA. | ||
| Line 56: | Line 56: | ||
* [[CA:CommonCADatabase#PEM_Data|PEM data]] must be provided for every intermediate certificate (chaining up to a root certificate in Mozilla's program) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. Policy documentation and audit statements must also be provided for these non-technically-constrained intermediate certificates, as per section 10 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | * [[CA:CommonCADatabase#PEM_Data|PEM data]] must be provided for every intermediate certificate (chaining up to a root certificate in Mozilla's program) that is not [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. Policy documentation and audit statements must also be provided for these non-technically-constrained intermediate certificates, as per section 10 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | ||
= View Reports in | = View Reports in the CCADB = | ||
Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you. The reports are: | Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you. The reports are: | ||
* All Public Intermediate Certs -- All Public (non-revoked) intermediate certificates that have been entered into | * All Public Intermediate Certs -- All Public (non-revoked) intermediate certificates that have been entered into the CCADB. | ||
* All Revoked Intermediate Certs -- All revoked intermediate certificates that have been entered into | * All Revoked Intermediate Certs -- All revoked intermediate certificates that have been entered into the CCADB. | ||
* My Blank Intermediate Certs -- The intermediate cert records that you have entered that have the default value, "<Fill in CA Owner/Cert name>", certificate name. This means that you need to enter the certificate's [[CA:CommonCADatabase#PEM_Data|PEM data]] to update the record. | * My Blank Intermediate Certs -- The intermediate cert records that you have entered that have the default value, "<Fill in CA Owner/Cert name>", certificate name. This means that you need to enter the certificate's [[CA:CommonCADatabase#PEM_Data|PEM data]] to update the record. | ||
** Click on one of the links in the Certificate Name column in the report to view the certificate record. | ** Click on one of the links in the Certificate Name column in the report to view the certificate record. | ||
* My Included Root Certs -- The currently-included root certificates for your CA. | * My Included Root Certs -- The currently-included root certificates for your CA. | ||
* My Public Intermediate Certs -- The Public (non-revoked) intermediate certificates that have been entered into | * My Public Intermediate Certs -- The Public (non-revoked) intermediate certificates that have been entered into the CCADB for your CA. | ||
* My Revoked Intermediate Certs -- The revoked intermediate certificates that have been entered into | * My Revoked Intermediate Certs -- The revoked intermediate certificates that have been entered into the CCADB for your CA. | ||
= Data that CAs can Add/Modify = | = Data that CAs can Add/Modify = | ||
With a | With a CCADB Community license, CAs can view root and intermediate certificate data for all of the CAs in CCADB. | ||
* CAs '''can''' modify records for: | * CAs '''can''' modify records for: | ||
** [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce| Intermediate certificate data]] chaining up to the root certificates that they own | ** [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce| Intermediate certificate data]] chaining up to the root certificates that they own | ||
| Line 74: | Line 74: | ||
** Intermediate certificate data chaining up to root certificates that they do not own. | ** Intermediate certificate data chaining up to root certificates that they do not own. | ||
== Which intermediate certificate data should CAs add to | == Which intermediate certificate data should CAs add to the CCADB? == | ||
CAs '''must''' add records for: | CAs '''must''' add records for: | ||
* All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | * All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained as described in section 9 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy]. | ||
| Line 85: | Line 85: | ||
** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | ** Including revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|should be added to OneCRL]] | ||
When the '''same exact intermediate certificate''' chains up to two included root certificates, the certificate data only needs to be included in | When the '''same exact intermediate certificate''' chains up to two included root certificates, the certificate data only needs to be included in the CCADB once. | ||
* For root certificate (rootA) that is cross-signed by another included root certificate (rootB) that has the Websites trust bit enabled, the intermediate certificates chaining up to rootA only need to be entered into the CCADB once. | * For root certificate (rootA) that is cross-signed by another included root certificate (rootB) that has the Websites trust bit enabled, the intermediate certificates chaining up to rootA only need to be entered into the CCADB once. | ||
** The cross-certificates for rootA that are signed by rootB must be entered into | ** The cross-certificates for rootA that are signed by rootB must be entered into the CCADB such that their records chain up to rootB. | ||
** If rootA is included and has the Websites trust bit enabled, then its intermediate certificates should be entered into | ** If rootA is included and has the Websites trust bit enabled, then its intermediate certificates should be entered into the CCADB such that their records chain directly to rootA. | ||
** If rootA has been removed from NSS or does not have the Websites trust bit enabled, then its intermediate certificates must be entered into | ** If rootA has been removed from NSS or does not have the Websites trust bit enabled, then its intermediate certificates must be entered into the CCADB such that their records chain to rootB. | ||
** If rootA and rootB are owned by different CAs, then both CAs are responsible for ensuring that the data for all of their non-technically-constrained intermediate certificates are appropriately entered into | ** If rootA and rootB are owned by different CAs, then both CAs are responsible for ensuring that the data for all of their non-technically-constrained intermediate certificates are appropriately entered into the CCADB. | ||
CAs should '''not''' add records for: | CAs should '''not''' add records for: | ||
* Intermediate certificates that the CA cannot publicly disclose '''and''' are [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage (and Name Constraints if EKU has anyExtendedKeyUsage or id-kp-serverAuth). All intermediate certificate data added by CAs to | * Intermediate certificates that the CA cannot publicly disclose '''and''' are [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage (and Name Constraints if EKU has anyExtendedKeyUsage or id-kp-serverAuth). All intermediate certificate data added by CAs to the CCADB will be [[CA:SalesforceCommunity#View_Published_Reports|publicly available]]. | ||
* Revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|do not need to be added to OneCRL]] | * Revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|do not need to be added to OneCRL]] | ||
* Expired intermediate certificates | * Expired intermediate certificates | ||
* Intermediate certificates that do '''not''' chain up to a root certificate that is currently [[CA:IncludedCAs|included in Mozilla's root store]]. | * Intermediate certificates that do '''not''' chain up to a root certificate that is currently [[CA:IncludedCAs|included in Mozilla's root store]]. | ||
== Add Intermediate Certificate Data to | == Add Intermediate Certificate Data to the CCADB == | ||
To add an intermediate certificate: | To add an intermediate certificate: | ||
# Find the root certificate that signed the intermediate certificate | # Find the root certificate that signed the intermediate certificate | ||
| Line 166: | Line 166: | ||
#* If needed, you can manually create the bug: Go to the [https://bugzilla.mozilla.org/enter_bug.cgi Bug Entry Page,] type "Certificate" into the search bar, and select "CA Certificate Root Program. Then select the fields as listed above. | #* If needed, you can manually create the bug: Go to the [https://bugzilla.mozilla.org/enter_bug.cgi Bug Entry Page,] type "Certificate" into the search bar, and select "CA Certificate Root Program. Then select the fields as listed above. | ||
# Attach the document to the bug | # Attach the document to the bug | ||
# Copy-and-paste the link to the Bugzilla Bug attachment into the corresponding field in | # Copy-and-paste the link to the Bugzilla Bug attachment into the corresponding field in the CCADB | ||
# Repeat steps 3 and 4 as needed, using the same Bugzilla Bug. | # Repeat steps 3 and 4 as needed, using the same Bugzilla Bug. | ||
| Line 229: | Line 229: | ||
#* If you click on the "Exit" button, you can re-start the process later without having to go through all of the certs that you already updated -- Each time you click on the Mass Update button, it will only show the sibling certificates with different Audit and Policy information. | #* If you click on the "Exit" button, you can re-start the process later without having to go through all of the certs that you already updated -- Each time you click on the Mass Update button, it will only show the sibling certificates with different Audit and Policy information. | ||
== Add Revoked Intermediate Certificate Data to | == Add Revoked Intermediate Certificate Data to the CCADB == | ||
Mozilla has implemented a revocation list push mechanism in Firefox called [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], which pushes a [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|revocation list of intermediate certificates]] to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker. | Mozilla has implemented a revocation list push mechanism in Firefox called [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], which pushes a [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|revocation list of intermediate certificates]] to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker. | ||
| Line 306: | Line 306: | ||
* Find the CA's Owner record. You may type in part of the CA's name, and use the '*' character, in the 'Search' bar at the top of the CCADB window (next to 'mozilla'). Or, you can click on "CA Owners/Certificates" tab, then in "View:" select "All CA Owners" and click on "Go!". Click on the "CA Owner/Certificate Name" to view the record. | * Find the CA's Owner record. You may type in part of the CA's name, and use the '*' character, in the 'Search' bar at the top of the CCADB window (next to 'mozilla'). Or, you can click on "CA Owners/Certificates" tab, then in "View:" select "All CA Owners" and click on "Go!". Click on the "CA Owner/Certificate Name" to view the record. | ||
* Within the record scroll down to the "File Archive" section, to see the File Archives associated with that CA Owner. | * Within the record scroll down to the "File Archive" section, to see the File Archives associated with that CA Owner. | ||
** "External Link" is the URL to the audit statement on the CA's website or in Bugzilla, and "Internal Link" is the link to same file stored within | ** "External Link" is the URL to the audit statement on the CA's website or in Bugzilla, and "Internal Link" is the link to same file stored within the CCADB. | ||
Notes: | Notes: | ||
| Line 316: | Line 316: | ||
In the near future, we plan to add custom code and a button to allow you to delete a record that you created. | In the near future, we plan to add custom code and a button to allow you to delete a record that you created. | ||
In the meantime, if you need to delete a record that you added, please notify Kathleen and provide the values of the following | In the meantime, if you need to delete a record that you added, please notify Kathleen and provide the values of the following CCADB fields for each of the records to delete. | ||
* CA Owner/Certificate Name | * CA Owner/Certificate Name | ||
* Parent CA Owner/Certificate | * Parent CA Owner/Certificate | ||