Confirmed users, Administrators
5,526
edits
CA/Information Checklist: Difference between revisions
Jump to navigation
Jump to search
Move Test to separate subsection
m (cleanup) |
(Move Test to separate subsection) |
||
| Line 111: | Line 111: | ||
#** See: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP | #** See: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP | ||
#** OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443. | #** OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443. | ||
# Requested Trust Bits | # Requested Trust Bits | ||
#* State which of the two trust bits you are requesting to be enabled for this root. One or more of: | #* State which of the two trust bits you are requesting to be enabled for this root. One or more of: | ||
| Line 139: | Line 122: | ||
#** EV - Verification meets the requirements of the CA/Browser Forum [https://cabforum.org/extended-validation/ CA/Browser Forum's EV Guidelines] | #** EV - Verification meets the requirements of the CA/Browser Forum [https://cabforum.org/extended-validation/ CA/Browser Forum's EV Guidelines] | ||
# If EV certificates are issued within the hierarchy rooted at this root, the EV policy OID(s) associated with those EV certificates. | # If EV certificates are issued within the hierarchy rooted at this root, the EV policy OID(s) associated with those EV certificates. | ||
=== Test!!! === | |||
You must Test your certificates and test websites! They must be fully compliant with Mozilla's Root Store Policy and the appropriate RFC's, and CA/Browser Forum Baseline Requirements (if requesting the SSL/TLS trust bit). | |||
* If requesting to enable the Websites (SSL/TLS) trust bit, then you must perform all of the following tests | |||
** Revocation: Browse to https://certificate.revocationcheck.com/ and enter the Test Website URL. Make sure there are no errors listed in the output. | |||
*** If certificate.revocationcheck.com does not know about the root cert, then use the 'Certificate Upload' tab to directly input the PEM for the certificates. | |||
** The CA MUST check that they are not issuing certificates that violate any of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] (BRs). | |||
** Mozilla WILL check that the CA is not issuing certificates that violate any of the BRs by performing the following tests. | |||
*** Browse to https://crt.sh/ | |||
*** Enter the SHA-1 or SHA-256 Fingerprint for the root certificate. Then click on the 'Search' button. | |||
*** When the certificate information is shown, along the left column under Certificate, click on the "Run cablint" and "Run x509lint" links. Each of these will add a row to the table, showing the test results. | |||
*** All errors must be resolved/fixed. Warnings should also be either resolved or explained. | |||
** If you have not yet issued public certificates in your CA hierarchy, then you can test using: | |||
*** https://crt.sh/linttbscert | |||
**** [https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg07855.html Instructions] | |||
** Alternatively, you may use the test code directly via Github: | |||
*** BR Lint Test: https://github.com/awslabs/certlint | |||
*** X.509 Lint Test: https://github.com/kroeckx/x509lint | |||
*** All errors must be resolved/fixed. Warnings should also be either resolved or explained. | |||
** [[CA:TestErrors|Test Errors]] - Meaning and recommended solutions to errors that CAs have run into while doing the tests listed above. | |||
If you are requesting to enable EV treatment, then you must also perform the [[PSM:EV_Testing_Easy_Version | PSM EV Testing]] | |||
* You must provide successful output from the [https://tls-observatory.services.mozilla.com/static/ev-checker.html EV Checking Tool]. | |||
== CA Hierarchy information for each root certificate == | == CA Hierarchy information for each root certificate == | ||