Confirmed users
377
edits
CA/Required or Recommended Practices: Difference between revisions
Jump to navigation
Jump to search
m
CA/Required or Recommended Practices (view source)
Revision as of 23:54, 21 October 2022
, 21 October 2022→OCSP: Updated to change outdated language
m (→Verifying Email Address Control: Minor) |
m (→OCSP: Updated to change outdated language) |
||
| Line 132: | Line 132: | ||
# The OCSP URI must be provided in end entity certificates. (BR section 7.1.2.3.c.) | # The OCSP URI must be provided in end entity certificates. (BR section 7.1.2.3.c.) | ||
# OCSP Responders SHALL NOT respond “Good” for Unissued Certificates. (BR section 4.9.10) | # OCSP Responders SHALL NOT respond “Good” for Unissued Certificates. (BR section 4.9.10) | ||
# CAs MUST NOT issue OCSP responder certificates using SHA-1 (BR section 7.1.3.2.1) | # CAs MUST NOT issue OCSP responder certificates using SHA-1 (BR section 7.1.3.2.1) | ||
# OCSP responses MUST conform to RFC6960 and/or RFC5019. (BR section 4.9.9) | # OCSP responses MUST conform to RFC6960 and/or RFC5019. (BR section 4.9.9) | ||
Please refer to section 4.9.10 of the [https://cabforum.org/baseline-requirements-documents/ Baseline Requirements] for additional OCSP requirements. | |||
You MUST test your OCSP service in Firefox! We expect OCSP responders to function without error in Mozilla products. To test in Firefox: | You MUST test your OCSP service in Firefox! We expect OCSP responders to function without error in Mozilla products. To test in Firefox: | ||
* Go to Firefox -> | * Go to Firefox -> Settings -> Privacy & Security -> Certificates | ||
* Check the box for "Query OCSP responder servers to confirm the current validity of certificates" | * Check the box for "Query OCSP responder servers to confirm the current validity of certificates" | ||
* You may need to clear your history cache | * You may need to clear your history cache | ||