CA/Intermediate Certificates: Difference between revisions

From MozillaWiki
< CA
Jump to navigation Jump to search
(Changed ccadb-public.secure.force.com to ccadb.my.salesforce-sites.com)
 
(27 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Subordinate CA Certificates Chaining to Root Certificates in NSS =
= Intermediate Certificates =


Mozilla products ship with a [[CA:IncludedCAs|default list of Certification Authority (CA) certificates]].  
[[CA/Included_Certificates|CAs]] are required to provide the data for all of their [[CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F|publicly disclosed and audited intermediate certificates]] which chain up to root certificates in Mozilla's program. They do this using the [[CA:SalesforceCommunity|CCADB]].  


With the [[CA:SalesforceCommunity|CA Community in Salesforce]] CAs directly provide the data for all of the [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|publicly disclosed and audited subordinate CAs]] chaining up to root certificates in Mozilla's program.  
The following reports are '''generated once per day''' and include valid intermediate certificates and expired intermediate certificates but not revoked intermediate certificates:
<br />
<big>[https://www.ccadb.org/rootstores/usage#ccadb-data-usage-terms CCADB Data Usage Terms]</big>
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicAllIntermediateCerts Intermediate CA Certificates] (HTML)
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicAllIntermediateCertsCSV Intermediate CA Certificates] (CSV)
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicAllIntermediateCertsWithPEMCSV Intermediate CA Certificates] (CSV with PEM of raw certificate data)
* [https://ccadb.my.salesforce-sites.com/mozilla/MozillaIntermediateCertsCSVReport Non-revoked, non-expired Intermediate CA Certificates chaining up to roots in Mozilla's program with the Websites trust bit set] (CSV with PEM of raw certificate data)
* [https://ccadb.my.salesforce-sites.com/mozilla/IntermediateCertsSeparateAudits Intermediate CA Certificates with their own audit statements] (HTML)
* [https://ccadb.my.salesforce-sites.com/mozilla/IntermediateCertsSeparateAuditsCSV Intermediate CA Certificates with their own audit statements] (CSV)


The following spreadsheet lists the Public Intermediate (Subordinate) CA Certificates that have been entered into the CA Community in Salesforce, which means that they must have public-facing documentation and audit statements that meet [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] and the [https://cabforum.org/about-the-baseline-requirements/ CA/Browser Forum's Baseline Requirements].
The following reports list revoked intermediate certificates:


* [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts Spreadsheet of Intermediate CA Certificates]
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicIntermediateCertsRevoked Revoked Intermediate CA Certificates] (HTML)
* [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat CSV version of the Spreadsheet of Intermediate CA Certificates]
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicIntermediateCertsRevokedCSVFormat Revoked Intermediate CA Certificates] (CSV)
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicIntermediateCertsRevokedWithPEMCSV Revoked Intermediate CA Certificates] (CSV with PEM of raw certificate data)


== Subordinate CA Certificates for each CA Owner ==
The following reports list the intermediate certificates that are ready to be added to OneCRL. Some non-revoked intermediate certificates are added to OneCRL because they are not intended to be used for SSL/TLS.
{| class="wikitable"
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicInterCertsReadyToAddToOneCRL Intermediate CA Certificates Ready to Add to OneCRL] (HTML)
|-
* [https://ccadb.my.salesforce-sites.com/mozilla/PublicInterCertsReadyToAddToOneCRLPEMCSV Intermediate CA Certificates Ready to Add to OneCRL] (CSV with PEM  of raw certificate data)
! Spreadsheet !! CSV Format
 
|-
The following reports list the intermediate certificates that have been added to OneCRL, and their revocation status as indicated by the CA in the CCADB.
| [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=CA%20Disig%20a.s. CA Disig a.s.] || [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat?CAOwnerName=CA%20Disig%20a.s. CA Disig a.s.]
* [https://ccadb.my.salesforce-sites.com/mozilla/IntermediateCertsInOneCRLReport Intermediate CA Certificates in OneCRL] (HTML)
|-
* [https://ccadb.my.salesforce-sites.com/mozilla/IntermediateCertsInOneCRLReportCSV Intermediate CA Certificates in OneCRL] (CSV)
| [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=D-TRUST D-TRUST] || [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat?CAOwnerName=D-TRUST D-TRUST]
 
|-
Firefox (version 37 and later) uses the [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] system, which pushes a list of revoked certificates to the browser. It includes (or should include) all the intermediate certificates in the above report.
| [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=Certinomis Certinomis] || [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat?CAOwnerName=Certinomis Certinomis]
 
|-
* [https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records OneCRL Raw Data]
| [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=Chunghwa%20Telecom%20Corporation Chunghwa Telecom Corporation] || [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat?CAOwnerName=Chunghwa%20Telecom%20Corporation Chunghwa Telecom Corporation]
* [https://crt.sh/mozilla-onecrl OneCRL data table with links to each certificate in crt.sh]
|-
| [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=Comodo Comodo] || [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat?CAOwnerName=Comodo Comodo]
|-
| [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts?CAOwnerName=ComSign ComSign] || [https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsCSVFormat?CAOwnerName=ComSign ComSign]
|-
|  ||
|}

Latest revision as of 23:47, 22 May 2023

Intermediate Certificates

CAs are required to provide the data for all of their publicly disclosed and audited intermediate certificates which chain up to root certificates in Mozilla's program. They do this using the CCADB.

The following reports are generated once per day and include valid intermediate certificates and expired intermediate certificates but not revoked intermediate certificates:
CCADB Data Usage Terms

The following reports list revoked intermediate certificates:

The following reports list the intermediate certificates that are ready to be added to OneCRL. Some non-revoked intermediate certificates are added to OneCRL because they are not intended to be used for SSL/TLS.

The following reports list the intermediate certificates that have been added to OneCRL, and their revocation status as indicated by the CA in the CCADB.

Firefox (version 37 and later) uses the OneCRL system, which pushes a list of revoked certificates to the browser. It includes (or should include) all the intermediate certificates in the above report.

Retrieved from "https://wiki.allizom.org/index.php?title=CA/Intermediate_Certificates&oldid=1246547"