Confirmed users, Administrators
5,526
edits
PSM:EV Testing Easy Version: Difference between revisions
m
added/fixed links
m (New link for getting PEM) |
m (added/fixed links) |
||
| Line 1: | Line 1: | ||
This page is for [[CA:FAQ#What_are_CAs.3F | Certificate Authorities (CAs)]] who request to have a root certificate enabled for [https://www.cabforum.org/certificates.html Extended Validation (EV) treatment], and need to test that their CA hierarchy is ready for EV treatment. | This page is for [[CA:FAQ#What_are_CAs.3F | Certificate Authorities (CAs)]] who request to have a root certificate enabled for [https://www.cabforum.org/certificates.html Extended Validation (EV) treatment], and need to test that their CA hierarchy is ready for EV treatment. | ||
To request that your root certificate be included in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] and | To request that your root certificate be included in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] and [https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp enabled for EV treatment], see [[CA/Application_Process|Mozilla's application process]]. | ||
This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.) | This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.) | ||
| Line 16: | Line 16: | ||
#* End with: -----END CERTIFICATE----- | #* End with: -----END CERTIFICATE----- | ||
#* [https://crt.sh/?d=853428 Example PEM Data] - open with a plain text editor like TextEdit | #* [https://crt.sh/?d=853428 Example PEM Data] - open with a plain text editor like TextEdit | ||
#* [ | #* [http://ccadb.org/cas/fields#pem-data Help with getting PEM] | ||
# Click on "Submit" | # Click on "Submit" | ||
| Line 29: | Line 29: | ||
* If you get ''Error: TypeError: json.analysis is undefined'', then the program does not like the format of the data you entered. For instance, if you have extra spaces or characters before or after the TLS Server URL, EV Policy OID, or Root Certificate PEM. | * If you get ''Error: TypeError: json.analysis is undefined'', then the program does not like the format of the data you entered. For instance, if you have extra spaces or characters before or after the TLS Server URL, EV Policy OID, or Root Certificate PEM. | ||
* The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test. | * The EV test only uses the root certificate it is given. So, if you are using an intermediate certificate that has been cross-signed with another root certificate, you may see different results when browsing to the site in Firefox, as opposed to the results provided by the EV Test. | ||
* OCSP must work without error for the intermediate certificates. | * OCSP must work without error for the intermediate certificates. | ||
* The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.) | * The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.) | ||
** SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension, or has an incorrect policy OID. | ** SEC_ERROR_POLICY_VALIDATION_FAILED error may mean that the intermediate certificate being sent by the server doesn't have a certificate policies extension, or has an incorrect policy OID. | ||