CA:SalesforceCommunity

From MozillaWiki
Jump to navigation Jump to search

DRAFT
The content of this page is a work in progress intended for review.

Please help improve the draft!

Ask questions or make suggestions in the discussion
or add your suggestions directly to this page.

CA Community in Salesforce

Mozilla's CA Program has its own instance of Salesforce for managing the CA Program data.

The Salesforce CA Community enables CAs to directly provide the data for all of the publicly disclosed and audited subordinate CAs chaining up to root certificates in Mozilla's program, and to also directly provide data about their revoked intermediate certificates. A Primary Point of Contact for each included CA will be given a Salesforce CA Communitylicense, so that each of the CAs in Mozilla's program can input, access, and update their intermediate certificate data directly in SalesForce.

Request a license

To do

Login to CA Community in Salesforce

  1. https://www.salesforce.com/
  2. Click on the "Login" button in the upper-right corner of the page
  3. Enter your Username; the email address for which your Community User License was issued
  4. Enter the Password that you set up during first access
  5. Click on the "Log in to Salesforce" button

Navigate the CA Community in Salesforce

Upon initial login you will see a row with three tabs:

  1. CA Owners/Certificates
    • Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". This will list the CA Owner and all of the root and intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record. Within the record you will see an Account Hierarchy section, where you can click on each root or intermediate certificate record to view the data.
    • Click on "CA Owners/Certificates" tab, then in "View:" select "All Included CA Owners" and click on "Go!". You will see all of the CAs who have root certificates included in the NSS root store. Click on the CA Owner Name, to view the record.
    • Click on "CA Owners/Certificates" tab, then in "View:" select "Community User's Intermediate Certs" and click on "Go!". This will list the intermediate certificates associated with your account. Click on the "CA Owner/Certificate Name" to view the record.
  2. Contacts
    • Click on "Contacts" tab, then in "View:" select "All Contacts" and click on "Go!". Click on the Name to view the contact record.
  3. Reports
    • Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you.

Important Notes:

  • Each Owner/Certificate record has a "CA Owner/Certificate Name" field. For a certificate record, the value of this field is usually the Certificate Subject Common Name of the certificate. For a CA Owner record, this field displays the CA's name. (We cannot change the title of the field in the page, due to the way we are using it in Salesforce.)
  • Each Certificate record has a "Parent CA Owner/Certificate" field. For an intermediate certificate record the value of the field should be the Certificate Issuer Common Name. For a root certificate record the value of the field will be the name of the CA owner. (We cannot change the title of the field in the page, due to the way we are using it in Salesforce.)
  • CA Community Users cannot modify the records for: Owner, Root Certificate, and Contact. Only the CA Certificates Module Owner and Peers can modify these records.
  • CA Community Users can only modify the intermediate certificate records for their CA.
  • The Intermediate certificate records have a Status field that may not be modified by CAs.
  • When PEM data is provided, the certificate details in the record may not be modified.
  • PEM data must be provided for every intermediate certificate (chaining up to a root certificate in Mozilla's program) that is not Technically Constrained via Extended Key Usage and Name Constraint settings. Policy documentation and audit statements must also be provided for these non-technically-constrained intermediate certificates, as per section 10 of Mozilla's CA Certificate Inclusion Policy.

View Reports in Salesforce

Click on "Reports" tab, then click on the "CA Community Reports" link along the left column, then click on one of the reports in the list. Whenever you click on the "Reports" tab it will list the reports that you have recently viewed. You will need to click on the "CA Community Reports" link to see all of the reports that are available to you. The reports are:

  • All Public Intermediate Certs -- All Public (non-revoked) intermediate certificates that have been entered into Salesforce.
  • All Revoked Intermediate Certs -- All revoked intermediate certificates that have been entered into Salesforce.
  • My Blank Intermediate Certs -- The intermediate cert records that you have entered that have the default value, "<Fill in CA Owner/Cert name>", certificate name. This means that you need to enter the certificate's PEM data to update the record.
    • Click on one of the links in the Certificate Name column in the report to view the certificate record.
  • My Included Root Certs -- The currently-included root certificates for your CA.
  • My Public Intermediate Certs -- The Public (non-revoked) intermediate certificates that have been entered into Salesforce for your CA.
  • My Revoked Intermediate Certs -- The revoked intermediate certificates that have been entered into Salesforce for your CA.

Add Intermediate Certificate Data to Salesforce

To add an intermediate certificate:

  1. Find the root certificate that signed the intermediate certificate
    • Type the name of your CA or the name of the root certificate into the Search bar at the top of the window. Click on the name of the root certificate to open the record.
    • Or click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". Click on the name of the root certificate to open the record.
  2. Click on the "New Intermediate Cert" button. This will create a new record for an intermediate cert chaining up to the certificate record you were just viewing.
  3. Click on the "Add/Update PEM Info" button.
  4. Copy and paste the PEM data into the window. Starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----
  5. Click on "Validate PEM Info" button.
  6. If the cert check is successful, then click on the "Update Intermediate Cert" button.
  7. In the intermediate certificate record you will see that the cert data has been filled in.
  8. Click on the "Edit" button and add the other relevant information...
    • Standard Audit, BR Audit, EV Audit, dates, Auditor, Auditor Qualifications (link to corresponding site).
    • Policy documentation, CP, CPS
  9. Click on "Save" button.

Notes:

  • To add an intermediate certificate that is signed by an intermediate certificate (rather than a root certificate), the same instructions apply except that rather than finding the root certificate, find the intermediate certificate and then click on the "New Intermediate Cert" button.
  • The "Clone" button will not copy the cert data (which is extracted from PEM data); it will only copy the other fields such as the policy documentation and audit information.
  • PEM data must be provided for every intermediate certificate (chaining up to a root certificate in Mozilla's program) that is not Technically Constrained via Extended Key Usage and Name Constraint settings. Policy documentation and audit statements must also be provided for these non-technically-constrained intermediate certificates, as per section 10 of Mozilla's CA Certificate Inclusion Policy.

Add Data for Multiple Intermediate Certificates to Salesforce

When you have intermediate certificates that share the same CP, CPS, and audit statements, then you can use the "Clone" button to save time. The recommended procedure is as follows.

  1. Enter the data for one intermediate certificate following the instructions above.
  2. Make sure the "Audit Information" and "Policies and Practices Information" sections are completely and correctly filled in and saved.
  3. Click on the "Clone" button. This will create a new intermediate certificate, copying the "Parent CA Owner/Certificate" field and the "Audit Information" and "Policies and Practices Information" sections.
  4. Click on the "Add/Update PEM info" button, and enter the PEM data for the intermediate certificate data you are adding. Starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----
  5. Click on the "Validate PEM Info" and "Update Intermediate Cert" buttons. The data for the intermediate certificate will be automatically filled in.
  6. If the intermediate certificate has a different Issure than the cert you had cloned, then click on the "Edit" button, change the "Parent CA Owner/Certificate" to the correct value, and click on the "Save" button.

Add Revoked Intermediate Certificate Data to Salesforce

Mozilla has implemented a revocation list push mechanism in Firefox called OneCRL, which pushes a revocation list of intermediate certificates to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker.

If the revocation of an intermediate certificate is due to a security concern, send email to security@mozilla.org. Otherwise, currently the way to notify Mozilla of an intermediate certificate revocation is to submit a bug report into the mozilla.org Bugzilla system.

In the future we plan to use the CA Community in Salesforce to track revocation of intermediate certificates. We plan to provide an automated system that will verify the revocation and take the appropriate action to get the intermediate certificate added to OneCRL. For now we ask CAs to provide both a Bugzilla Bug and enter the data into Salesforce.

The best way to add revoked intermediate certificate data to Salesforce is to first add the intermediate certificate record, and then mark the record as Revoked. This is the way all intermediate certificate revocations must be entered unless the certificate was Technically Constrained via Extended Key Usage and Name Constraint settings.

To mark an intermediate certificate in an existing record as revoked:

  1. Find the intermediate certificate
    • Type the name of the intermediate certificate into the Search bar at the top of the window. Click on the name of the intermediate certificate to open the record.
    • Or click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". Click on the name of the intermediate certificate to open the record.
  2. Click on "Edit"
  3. Click on the "Revocation Status" field and select "Revoked".
    • Do NOT select "Verified" or added to "Added to OneCRL", because we will use those status options to indicate progress on getting the data into OneCRL.
  4. Click on the "RFC 5280 Revocation Reason Code" field and select the corresponding revocation reason.
  5. Click on "Save" button


If the revoked intermediate certificate was Technically Constrained via Extended Key Usage and Name Constraint settings, but you would still like to add it to OneCRL and you are unable to provide the PEM data for the certificate, then you can add the data about the revoked intermediate certificate as follows.

  1. Find the root certificate that signed the intermediate certificate
    • Type the name of your CA or the name of the root certificate into the Search bar at the top of the window. Click on the name of the root certificate to open the record.
    • Or click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". Click on the name of the root certificate to open the record.
  2. Click on the "New Intermediate Cert" button.
  3. Click on the "Edit" button.
  4. Click on the "Revocation Status" field and select "Revoked".
  5. Click on the "RFC 5280 Revocation Reason Code" field and select the corresponding revocation reason.
  6. In the "CA Owner/Certificate Name" field enter a name that we can use in Salesforce to identify the revoked certificate.
    • Copy-and-paste the same name into the "Certificate Subject Common Name" field.
  7. Copy-and-paste the text in the "Parent CA Owner/Certificate" field into the "Certificate Issuer Common Name" field.
  8. Enter the following additional information:
    • Certificate Serial Number
    • OCSP URL linking to the OCSP response for that serial number
    • CRL URL linking to the CRL that contains that serial number
    • Valid To (GMT) -- notAfter date of the revoked certificate
  9. Click the "Save" button.

View Published Reports

To do

Retrieved from "https://wiki.allizom.org/index.php?title=CA:SalesforceCommunity&oldid=1094246"