Confirmed users, Administrators
5,526
edits
CA/FAQ: Difference between revisions
m
fixed links
m (Updated due to MDSP migration) |
m (fixed links) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products, Mozilla may include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs). The certificates included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers | When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products, Mozilla may include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs). The certificates included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers and S/MIME email users without having to ask users for further permission or information. | ||
The purpose of this wiki page is to provide general background information regarding how Mozilla software products use certificates, how it is determined which [[CA/Included_Certificates|CA certificates are included]] by default, and how you can influence decisions regarding Mozilla's [[Modules/All#CA_Certificates|CA Certificates Module]] and [[CA#Policy|Policy]]. | The purpose of this wiki page is to provide general background information regarding how Mozilla software products use certificates, how it is determined which [[CA/Included_Certificates|CA certificates are included]] by default, and how you can influence decisions regarding Mozilla's [[Modules/All#CA_Certificates|CA Certificates Module]] and [[CA#Policy|Policy]]. | ||
=== What are certificates? === | === What are certificates? === | ||
Certificates are used in the context of "public key" cryptography. More specifically, certificates are digitally signed data items combining a public key used for some purpose (e.g., enabling a web server to accept SSL connections) with information about the entity associated with the public key. Certificates are used in at least | Certificates are used in the context of "public key" cryptography. More specifically, certificates are digitally signed data items combining a public key used for some purpose (e.g., enabling a web server to accept SSL connections) with information about the entity associated with the public key. Certificates are used in at least two functions within Mozilla and related software: | ||
* when a user uses the software to connect to an SSL-enabled web server or other SSL-enabled servers, (e.g., an IMAP mail server) | * when a user uses the software to connect to an SSL-enabled web server or other SSL-enabled servers, (e.g., an IMAP mail server) | ||
* when a user uses the software to read digitally signed email from another user | * when a user uses the software to read digitally signed email from another user | ||
In public key cryptography the communicating entities (e.g., web servers or user email programs) each have a unique pair of cryptographic keys, a "private" key that is kept secret and a "public" key that is made known to others. In the various cryptography-based functions in Mozilla | In public key cryptography the communicating entities (e.g., web servers or user email programs) each have a unique pair of cryptographic keys, a "private" key that is kept secret and a "public" key that is made known to others. In the various cryptography-based functions in Mozilla public keys are not used in their "raw" form but rather are encapsulated in "certificates". (These are often referred to as "X.509 v3 certificates", from the name of the technical standard defining the certificates' format.) | ||
As noted above, a certificate is a digitally signed bundle of data that includes both the public key for a given entity and various pieces of information about that entity; for example, the certificate for a secure web server includes the domain name of the server, a certificate used for secure email includes the email address of the sending user | As noted above, a certificate is a digitally signed bundle of data that includes both the public key for a given entity and various pieces of information about that entity; for example, the certificate for a secure web server includes the domain name of the server, and a certificate used for secure email includes the email address of the sending user. | ||
Digitally signing a certificate (or any other data) is done using some entity's private key. More specifically, certificate data are signed by taking the bit string representing the data and putting it through a specially-designed "hashing" operation that generates a small fixed-length bit string, and then encrypting that new bit string (the "hash") using some entity's private key to generate the "signature". Hash functions are mathematically designed to ensure that different bit strings will generate different hash values, and public/private key pairs and algorithms are designed to ensure that data encrypted by a private key can be easily decrypted only by the corresponding public key. (In both cases these guarantees are not absolute, but are as good as skilled cryptographers can make them.) | Digitally signing a certificate (or any other data) is done using some entity's private key. More specifically, certificate data are signed by taking the bit string representing the data and putting it through a specially-designed "hashing" operation that generates a small fixed-length bit string, and then encrypting that new bit string (the "hash") using some entity's private key to generate the "signature". Hash functions are mathematically designed to ensure that different bit strings will generate different hash values, and public/private key pairs and algorithms are designed to ensure that data encrypted by a private key can be easily decrypted only by the corresponding public key. (In both cases these guarantees are not absolute, but are as good as skilled cryptographers can make them.) | ||
Someone receiving a copy of the data and its signature can verify the data and signature by decrypting the signature using the entity's public key to recover the original hash value, separately hashing the data to generate a new hash value, and then comparing the original hash value and the new hash value. If the recovered hash value and the newly-generated hash value match then the receiver can be reasonably sure that the data received are the same as the data as originally signed, and that the entity whose public key was used to verify the signature is the same entity that did the signing (with the corresponding private key). | Someone receiving a copy of the data and its signature can verify the data and signature by decrypting the signature using the entity's public key to recover the original hash value, separately hashing the data to generate a new hash value, and then comparing the original hash value and the new hash value. If the recovered hash value and the newly-generated hash value match then the receiver can be reasonably sure that the data received are the same as the data as originally signed, and that the entity whose public key was used to verify the signature is the same entity that did the signing (with the corresponding private key). | ||
=== What are CAs? === | === What are CAs? === | ||
| Line 28: | Line 26: | ||
It is also possible for a certificate to be signed using some other private key belonging to a third party (i.e., an entity other than the one whose certificate it is). In this case verifying the information in the certificate requires having the public key for that third party. The third party's public key can itself be distributed in the form of a certificate, and that certificate can in turn be signed either by the third party itself (as a self-signed certificate) or by some other party entirely. | It is also possible for a certificate to be signed using some other private key belonging to a third party (i.e., an entity other than the one whose certificate it is). In this case verifying the information in the certificate requires having the public key for that third party. The third party's public key can itself be distributed in the form of a certificate, and that certificate can in turn be signed either by the third party itself (as a self-signed certificate) or by some other party entirely. | ||
In the scheme used by Mozilla, certificates for entities such as web servers | In the scheme used by Mozilla, certificates for entities such as web servers or email users are typically not self-signed but rather are signed by third parties (organizations or individuals) known as "Certification Authorities" or "CAs" for short. (CAs are in turn considered to be part of what is commonly referred to as a Public Key Infrastructure or PKI — although in fact it is possible to have a PKI that does not use CAs.) By signing the data in certificates CAs are assumed to be in some way vouching for the information contained in the certificate data. | ||
For example, a certificate used for a secure web server normally contains the domain name used to connect to the web server, and by signing such a certificate a CA is assumed to be vouching for the fact that the entity operating the web server (the entity that controls the server's private key corresponding to the public key in the certificate) actually controls the domain name associated with the server. Similarly, a certificate used for secure email should contain the email address of the person or organization that controls the corresponding email account, with the CA signing the certificate assumed to have verified | For example, a certificate used for a secure web server normally contains the domain name used to connect to the web server, and by signing such a certificate a CA is assumed to be vouching for the fact that the entity operating the web server (the entity that controls the server's private key corresponding to the public key in the certificate) actually controls the domain name associated with the server. Similarly, a certificate used for secure email should contain the email address of the person or organization that controls the corresponding email account, with the CA signing the certificate assumed to have verified that is the case. | ||
Verifying a typical web server | Verifying a typical web server or email user requires having the public key for the CA that signed the certificate. The CA's public key is itself distributed in the form of a certificate; this "CA certificate" is in turn digitally signed either by some other CA or by the CA itself (as a self-signed certificate). In the former case the CA is referred to as an "intermediate" CA; in the latter case the CA is referred to as a "root" CA, and its certificate is a "root CA certificate". | ||
In general it is possible to have multiple root CAs; each root CA can then "issue" certificates directly for web servers | In general it is possible to have multiple root CAs; each root CA can then "issue" certificates directly for web servers or email users by digitally signing the data in those certificates, or can issue certificates to one or more intermediate CAs, which then issue certificates in turn. | ||
Note that in theory CAs are not necessary in order to support cryptography-based functions like secure web browsing, etc., and in fact there are systems like PGP that do not use CAs in the sense defined above. (PGP uses a separate "web of trust" system in which PGP users sign each others' keys.) However the main cryptography-based functions in Mozilla — secure web browsing | Note that in theory CAs are not necessary in order to support cryptography-based functions like secure web browsing, etc., and in fact there are systems like PGP that do not use CAs in the sense defined above. (PGP uses a separate "web of trust" system in which PGP users sign each others' keys.) However the main cryptography-based functions in Mozilla — secure web browsing and secure email — do assume the use of CAs, including root CAs. | ||
=== Why does Mozilla include a default set of CA certificates? === | === Why does Mozilla include a default set of CA certificates? === | ||
| Line 42: | Line 40: | ||
Mozilla as distributed includes various CA certificates by default, in order to reduce the amount of configuration users have to do before they can use Mozilla for these cryptographic-based functions. | Mozilla as distributed includes various CA certificates by default, in order to reduce the amount of configuration users have to do before they can use Mozilla for these cryptographic-based functions. | ||
As discussed in the answer to the previous question, in order to verify a certificate for a web server | As discussed in the answer to the previous question, in order to verify a certificate for a web server or email user, Mozilla must have the certificate for the CA that issued (i.e., digitally signed) the certificate being verified. If the CA is an intermediate CA then Mozilla must also have the certificate for the CA that issued the intermediate CA's certificate, in order to verify that certificate as well. This other CA may be a root CA or yet another intermediate CA; in the latter case yet another CA will be involved, and so on. | ||
Mozilla continues verifying certificates until it comes to a point where it needs a root CA certificate, corresponding to the root CA that issued the original web server, etc., certificate or that issued an intermediate CA's certificate. Since root CA certificates are self-signed, Mozilla can verify such a certificate using the public key in the root CA certificate itself, and if that verification completes successfully then the process is done. | Mozilla continues verifying certificates until it comes to a point where it needs a root CA certificate, corresponding to the root CA that issued the original web server, etc., certificate or that issued an intermediate CA's certificate. Since root CA certificates are self-signed, Mozilla can verify such a certificate using the public key in the root CA certificate itself, and if that verification completes successfully then the process is done. | ||
| Line 50: | Line 48: | ||
However it is also convenient for Mozilla to keep its own copies of certificates, including root CA certificates in particular. Among other things, Mozilla can mark a given root CA certificate as being valid for verifying certain types of certificates, and as not being valid to verify other types of certificates. | However it is also convenient for Mozilla to keep its own copies of certificates, including root CA certificates in particular. Among other things, Mozilla can mark a given root CA certificate as being valid for verifying certain types of certificates, and as not being valid to verify other types of certificates. | ||
For example, a particular root CA may issue certificates only for web servers, not for email users | For example, a particular root CA may issue certificates only for web servers, not for email users; in the Mozilla certificate database this root CA's certificate could be marked as being valid only for verifying web server certificates. If Mozilla receives a email user certificate issued by this root CA (or by an intermediate CA under the root CA) it would then raise an error condition and alert the user; on the other hand web server certificates issued by the root CA (or an intermediate CA under it) would be verified by Mozilla without error and with no need for user intervention. | ||
This process of marking root CA certificates as being valid for verifying certain types of certificates is commonly known as "trusting" the root CA, and the special flags associated with each root CA certificate are known as "trust bits". | This process of marking root CA certificates as being valid for verifying certain types of certificates is commonly known as "trusting" the root CA, and the special flags associated with each root CA certificate are known as "trust bits". | ||
If Mozilla or related software did not already have a copy of a given root CA certificate then it would be unable to automatically determine whether certificates issued by that root CA (or subordinate CAs) should be accepted or not, and would have to prompt the user as to what to do. Most users don't know what CAs are or don't possess the necessary information to properly | If Mozilla or related software did not already have a copy of a given root CA certificate then it would be unable to automatically determine whether certificates issued by that root CA (or subordinate CAs) should be accepted or not, and would have to prompt the user as to what to do. Most users don't know what CAs are or don't possess the necessary information to properly determine the correct action. To prevent typical Mozilla users from having to deal with this issue, Mozilla and related software includes a pre-loaded set of default root CA certificates, with the trust bits set appropriately. | ||
These pre-loaded root CA certificates are distributed with Mozilla and related software in the form of a shared library installed on users' systems along with the rest of the software executable code. They can therefore be updated when new versions of the software are released. | These pre-loaded root CA certificates are distributed with Mozilla and related software in the form of a shared library installed on users' systems along with the rest of the software executable code. They can therefore be updated when new versions of the software are released. | ||
| Line 80: | Line 78: | ||
If your certificates will be used to verify a small number of domains (e.g. *.yourcompany.com) but you want others outside of your organization to be able to browse to your website using https without having to manually import a root certificate, then you can get an [https://en.wikipedia.org/wiki/Public_key_certificate SSL certificate] from one of the CAs who already have a root certificate [[CA/Included_CAs|included in Firefox]], or get an [https://en.wikipedia.org/wiki/Intermediate_certificate_authorities intermediate certificate] cross-signed by one of the CAs who already have a root certificate [[CA/Included_CAs|included in Firefox]]. | If your certificates will be used to verify a small number of domains (e.g. *.yourcompany.com) but you want others outside of your organization to be able to browse to your website using https without having to manually import a root certificate, then you can get an [https://en.wikipedia.org/wiki/Public_key_certificate SSL certificate] from one of the CAs who already have a root certificate [[CA/Included_CAs|included in Firefox]], or get an [https://en.wikipedia.org/wiki/Intermediate_certificate_authorities intermediate certificate] cross-signed by one of the CAs who already have a root certificate [[CA/Included_CAs|included in Firefox]]. | ||
=== Who decides which CA certificates to include in Mozilla products? === | === Who decides which CA certificates to include in Mozilla products? === | ||
| Line 96: | Line 92: | ||
If you don't trust a particular CA whose root certificate is included by default in Mozilla products, then there are two ways to disable the certificate. | If you don't trust a particular CA whose root certificate is included by default in Mozilla products, then there are two ways to disable the certificate. | ||
# [[ | # [[CA/Changing_Trust_Settings#Changing_Root_Certificate_Trust_Settings | Turn off the trust bits for that root certificate.]] | ||
# [[ | # [[CA/Changing_Trust_Settings#Deleting_a_Root_Certificate | Delete the root certificate.]] | ||
#* Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off. | #* Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off. | ||
'''Important:''' This change will have a permanent affect, such that the trust bits for the root certificate can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software. It is strongly recommended that you note which root certificate you modify, so that you can turn the trust bits back on if the change negatively impacts your browsing experience. | '''Important:''' This change will have a permanent affect, such that the trust bits for the root certificate can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software. It is strongly recommended that you note which root certificate you modify, so that you can turn the trust bits back on if the change negatively impacts your browsing experience. | ||
[[ | [[CA/Changing_Trust_Settings#Restoring_the_Default_Trust_Settings_for_All_Root_Certificates|How to restore the default trust settings for all root certs]] | ||
=== How can I impact Mozilla's default set of CA certificates? === | === How can I impact Mozilla's default set of CA certificates? === | ||
| Line 118: | Line 114: | ||
Therefore, anyone considering bundling Mozilla's root store with other software needs to be aware of the issues surrounding providing a root store, and committed to making sure that they maintain security for their users by carefully observing Mozilla's actions and taking appropriate steps of their own. On a best-efforts basis, Mozilla maintains [[CA/Additional_Trust_Changes|a list of the additional things]] users of our store might need to consider. | Therefore, anyone considering bundling Mozilla's root store with other software needs to be aware of the issues surrounding providing a root store, and committed to making sure that they maintain security for their users by carefully observing Mozilla's actions and taking appropriate steps of their own. On a best-efforts basis, Mozilla maintains [[CA/Additional_Trust_Changes|a list of the additional things]] users of our store might need to consider. | ||
Useful Links: | |||
* [https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/ Correctly Using Mozilla's Root Store] | |||
* [https://www.ccadb.org/rootstores/usage#ccadb-data-usage-terms Data Usage Terms] | |||
* [https://www.ccadb.org/resources Curated Lists of Root Certificates] | |||
* | * [[CA/Additional_Trust_Changes|Additional Trust Changes to Consider]] | ||
=== How do I import a root cert into NSS on our organization's internal servers? === | === How do I import a root cert into NSS on our organization's internal servers? === | ||
In some organizations administrators need to configure additional trusted CAs or override the trust settings of CAs on a system wide level, as required by local system environments or corporate deployments. For example, some organizations have their own in-house CA, and need to automate importing their root certificate(s) into NSS on their internal servers. | In some organizations administrators need to configure additional trusted CAs or override the trust settings of CAs on a system wide level, as required by local system environments or corporate deployments. For example, some organizations have their own in-house CA, and need to automate importing their root certificate(s) into NSS on their internal servers. | ||
Additional Information: | |||
* [[CA/AddRootToFirefox|Add a Root Certificate to Firefox]] | |||
* Add Certificates to NSS for other applications | |||
* | |||
** [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil certutil] -- a command-line utility that can be used to list, generate, modify, or delete certificates in the NSS root store. | ** [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil certutil] -- a command-line utility that can be used to list, generate, modify, or delete certificates in the NSS root store. | ||
*** [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools#Tools_Information NSS Tools] | *** [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools#Tools_Information NSS Tools] | ||
| Line 138: | Line 131: | ||
** For systems with Fedora and RHEL (6.5 and newer) see the manual page for update-ca-trust (man update-ca-trust) | ** For systems with Fedora and RHEL (6.5 and newer) see the manual page for update-ca-trust (man update-ca-trust) | ||
** For systems with Ubuntu/Debian see the manual page for update-ca-certificates | ** For systems with Ubuntu/Debian see the manual page for update-ca-certificates | ||
* [https:// | * [https://groups.google.com/a/mozilla.org/g/dev-security-policy Discussion forum] where you can ask questions and get answers from others who have done this | ||