Closed Bug 694536 Opened 13 years ago Closed 9 years ago

Replace Entrust.net Certification Authority (2048) root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bruce.morton, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV - Approved - In NSS 3.15, Firefox 23, EV enabled in FF 36)

Attachments

(5 files, 3 obsolete files)

Entrust.net Certification Authority (2048) root certificate
1.49 KB, application/octet-stream
Details
Entrust Root Certification Authority - G2 root certificate
1.52 KB, application/octet-stream
Details
Initial CA Information Document
82.81 KB, application/pdf
Details
Completed Information Gathering Document
106.29 KB, application/pdf
Details
2048 EV Test.png
339.00 KB, image/png
Details 
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
CA Details
----------

CA Name:  Entrust
Website:  www.entrust.net

Entrust is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use. Currently Entrust has eight (8) enterprise subordinate CAs that issue certificates for SSL and S/MIME internal use. There are also six (6) commercial subordinate CAs that issue SSL certificates and one that issues S/MIME certificates to the public.

Audit Type (WebTrust, ETSI etc.):  WebTrust for CA and WebTrust for EV
Auditor:  Deloitte and Touche LLP
Auditor Website:  www.deloitte.ca
Audit Document URL(s):  https://entrust.webtrust.org/ViewSeal?id=328

Certificate Details
-------------------

1. Certificate Name:  Entrust.net Certification Authority (2048)

Summary:  This root is already included in NSS. It has been updated to extend the validity period and to correct the Basic Constraints extension. This root is Entrust's primary trust achor for commercially issuing SSL, S/MIME, and Code  Signing certificates.

Certificate HTTP download URL (on CA website):  http://www.entrust.net/developer/index.cfm

Version:  V3
SHA1 Fingerprint:  5030 0609 1D97 D4F5 AE39 F7CB E792 7D7D 652D 3431
Modulus Length (a.k.a. "key length"):  RSA (2048 bits)
Valid From (YYYY-MM-DD):  1999-12-24
Valid To (YYYY-MM-DD):  2029-07-24

CRL HTTP URL:  http://crl.entrust.net/2048ca.crl
CRL issuing frequency for end-entity certificates:  CRL is issued every 24 hrs, valid for 7 days
OCSP URL:  http://ocsp.entrust.net

Class (domain-validated, identity/organisationally-validated or EV):  OV and EV (currently only OV)
Certificate Policy URL:  http://www.entrust.net/CPS
CPS URL:  http://www.entrust.net/CPS
EV policy OID(s) (if applicable):  2.16.840.1.114028.10.1.2

Requested Trust Indicators (email and/or SSL and/or code): email, SSL and code signing
URL of website using certificate chained to this root (if applying for SSL):  https://2048test.entrust.net/


2. Certificate Name:  Entrust Root Certification Authority - G2

Summary:  This is a new root which has been signed with the SHA-256 algorithm. This root is intended to eventually replace Entrust's SHA-1 signed roots. This root is intended to be used for commercially issuing SSL, S/MIME, and Code Signing 
certificates.

Certificate HTTP download URL (on CA website):  http://www.entrust.net/developer/index.cfm

Version:  V3
SHA1 Fingerprint:  8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4
Modulus Length (a.k.a. "key length"):  RSA (2048 bits)
Valid From (YYYY-MM-DD):  2009-07-07
Valid To (YYYY-MM-DD):  2030-12-07

CRL HTTP URL:  not applicable for the root; issuing CA CRL can be found at http://crl.entrust.net/g2ca.crl
CRL issuing frequency for end-entity certificates:  CRL is issued every 24 hrs, valid for 7 days
OCSP URL:  http://ocsp.entrust.net

Class (domain-validated, identity/organisationally-validated or EV):  OV and EV
EV policy OID(s) (if applicable):  2.16.840.1.114028.10.1.2
Certificate Policy URL:  http://www.entrust.net/CPS
CPS URL:  http://www.entrust.net/CPS

Requested Trust Indicators (email and/or SSL and/or code): email, SSL and code signing
URL of website using certificate chained to this root (if applying for SSL):  https://validg2.entrust.net/
I hope to begin Information Verification soon, and I will update this bug again at that time.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - Information incomplete
I have the "Entrust Root Certification Authority - G2" root cert imported and trusted, but I get the following error when I try to go to the test website: https://validg2.entrust.net/

"An error occurred during a connection to validg2.entrust.net.
The OCSP server has no status for the certificate.
(Error code: sec_error_ocsp_unknown_cert)"
CRL link doesn't seem to work: http://crl.entrust.net/g2ca.crl
Hi Kathleen,

As the G2 root is not in production, we are not currently supporting CRL or OCSP for that root. This is similar to how we have proceeded in the past when embedding a new root certificate. Please advise if this will be a problem for your process.

Thanks, Bruce.
Attached file Initial CA Information Document (obsolete) — 
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.

        Attachment #579509 -
        Attachment is obsolete: true

    
    

    
  
Hi Kathleen,

How would you like the information provided? Can you send me an editable version of the document that I can edit/complete?

Thanks, Bruce.

    
    

    
  

      
      
      
      

        Attached file
          
        Completed CA Information Document (obsolete)
        — 
      

    


  

    
    

    
  
This request has been added to the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Now that you have a request in the Queue for Public Discussion, you are
directly impacted by the time it takes to work through the queue. The goal is
to have each discussion take about two weeks. However, that time varies
dramatically depending on the number of reviewers contributing to the
discussion, and the types of concerns that are raised. If no one reviews and
contributes to a discussion, then a request may be in the discussion for
several weeks. When there are not enough people contributing to the discussions
ahead of yours, then your request will sit in the queue longer.

How can you help reduce the time that your request sits in the queue?

You can help by reviewing and providing your feedback in the public discussions
of root inclusion requests, or by asking a knowledgeable colleague to do so.

Participating in other discussions is a great way to learn the expectations and
be prepared for the discussion of your request.

Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: EV - Information incomplete → EV - Information confirmed complete

    
    

    
  
My notes indicate that "Entrust Root Certification Authority - G2" is not yet in production, so does not yet have an intermediate certificate, and also does not yet have CRL or OCSP support. Is that still the case?

    
    

    
  
Is this request to turn on EV for either of the "Entrust.net Certification Authority (2048)" or the "Entrust Root Certification Authority - G2" root certificates? If yes, will need the following:
- WebTrust EV audit covering each applicable root
- Test website whose EV SSL cert chains up to the root
- Completion of https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

    
    

    
  
The G2 root is still not in production, has not issued an intermediate certificate,  and does not have CRL/OCSP support. If any of the above are requirements for inclusion, please let me know and I will get them addressed.

Regarding EV for the roots:
- EV Audit report, https://entrust.webtrust.org/ViewSeal?id=328
- 2048 test site, https://2048test.entrust.net/
- G2 test site, https://validg2.entrust.net/
- We will work on completion of the PSM:EV Testing Easy Version.

Thank, Bruce.

    
    

    
  
> - 2048 test site, https://2048test.entrust.net/

The Certificate Policy listed in the SSL cert is:
1.2.840.113533.7.75.2
But my notes indicate that the EV Policy OID is:
2.16.840.1.114028.10.1.2

I can start the discussion for this request once there is a test website whose EV SSL cert chains up to the "Entrust.net Certification Authority (2048)" root, and you have confirmed that the "PSM:EV Testing Easy Version" has been successfully completed for that root.

In regards to the "Entrust Root Certification Authority - G2" root, it can be included in the discussion, but final approval of EV will be dependent on there being OCSP support and completion of "PSM:EV Testing Easy Version".

    
    

    
  
Here is an EV test site for the 2048 root, https://evtest2048.entrust.net/. The certificate has expired. Does this work for you or do you need a new certificate issued?

    
    

    
  
(In reply to Bruce Morton from comment #17)
> Here is an EV test site for the 2048 root, https://evtest2048.entrust.net/.
> The certificate has expired. Does this work for you or do you need a new
> certificate issued?

Please issue a new cert.

    
    

    
  
Hi Bruce, Any update?

    
    

    
  
As per Bug #849833 I am going to move the inclusion of the new G2 root certificate into its own Bugzilla bug, and use this bug for only the replacement root cert.

    
    

    
  
The inclusion request for the G2 root has been moved to bug #849950.

This bug is now only for the request to replace the Entrust.net Certification Authority (2048) root certificate with the updated version of the cert.
Summary: Add Entrust Root Certificates to NSS → Replace Entrust.net Certification Authority (2048) root certificate

    
    

    
  


  
Bruce, Please review the updated "Completed CA Information Document" that is attached to this bug, and reply to indicate if it still accurate or provide corrections/updates.

        Attachment #581115 -
        Attachment is obsolete: true

    
    

    
  
Hi Kathleen,

Most looks mostly fine, please note the following:
- CNNIC cross-certificate has expired, so they could be removed.
- CPS documents have been updated and can be found on http://www.entrust.net/CPS. The changes should cover off questions regarding verification procedures.
- OCSP responses are generated every 8 hours.

Please let me know if I have any action items.

Thanks, Bruce.

    
    

    
  


  

        Attachment #723613 -
        Attachment is obsolete: true

    
    

    
  
I am now opening the first public discussion period for this request from Entrust to replace the “Entrust.net Certification Authority (2048)” root certificate, keep all three trust bits enabled, and also enable EV.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “Entrust Request to Replace Previously Included Root Cert”

Please actively review, respond, and contribute to the discussion.

A representative of Entrust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion

    
    

    
  
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to update the “Entrust.net Certification Authority (2048)” root certificate, keep all three trust bits enabled, and also enable EV.

Section 4 [Technical]. I am not aware of instances where Entrust has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevance and Policy]. Entrust appears to provide a service relevant to Mozilla users. It is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use. Entrust has enterprise subordinate CAs that issue certificates for SSL and S/MIME internal use. There are also commercial subordinate CAs that issue SSL certificates and S/MIME certificates to the public.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CPS and EV CPS, which are in English.

Document Repository: http://www.entrust.net/CPS
CPS: http://www.entrust.net/CPS/pdf/ssl-cps-250612-v2-8.pdf
EV CPS: http://www.entrust.net/CPS/pdf/evssl_cps_english250612.pdf

Section 7 [Validation]. Entrust appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: According to CPS section 3.1.10, authorization to use the domain is done by contacting an authorization contact at the entity that registered the domain name or by contacting a user identified in the WHOIS record.

* Email: According to CPS section 3.1.11, Registration Authorities shall use reasonable means to confirm the Applicant or Subscriber has control of the email address to be included in the Entrust Certificate. The email address for Entrust Client Certificates is confirmed using the email through the enrollment process.

* Code: Entrust only issues Code Signing certificates to organizations. Organization identity information and authorization is verified the same as with Entrust EV SSL certificates.

* According to EV CPS section 3.1.8, Registration Authorities operating under the Entrust EV SSL Certification Authorities shall determine whether the organizational identity, legal existence, physical existence, operational existence, and domain name provided with an Entrust EV SSL Certificate Application are consistent with the requirements set forth in the Guidelines published by the CA/Browser Forum.

Section 15 [Certificate Hierarchy]. 
This root signs both internally-operated subCAs and externally-operated subCAs. It has also been used to cross-sign other roots in Mozilla’s Program. Details are provided in the CAInformation document attached to this bug.

* EV Policy OID: 2.16.840.1.114028.10.1.2

* CRL 
http://crl.entrust.net/2048ca.crl
http://crl.entrust.net/level1c.crl (NextUpdate: 7 days)
CPS section 4.4.3: CRLs updated within 24 hours of revocation request.
CPS section 4.4.9: CRLs for end entities shall be issued at least once every seven days.

* OCSP
http://ocsp.entrust.net/
CPS section 4.4.11: OCSP responses for end entities issued at least every 4 days, with maximum expiration time of 10 days.

Sections 9-11 [Audit]. 
Annual audits are performed by Deloitte and Touche according to the WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website.
https://entrust.webtrust.org/ViewSeal?id=328

Based on this assessment I intend to approve this request to update the “Entrust.net Certification Authority (2048)” root certificate, keep all three trust bits enabled, and also enable EV.

Note that EV-enablement will be on hold until Entrust has successfully completed EV-testing with this root. (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).
Whiteboard: EV - In public discussion → EV - Pending Approval

    
    

    
  
As per the summary in Comment #27, and on behalf of Mozilla I approve this request from Entrust to update the following root certificate:

** “Entrust.net Certification Authority (2048)”  (websites, email, code signing), enable EV.

I will file the NSS bug for the actual root replacement.

Creation of the PSM bug for EV-enablement will be on hold until Entrust has successfully completed EV-testing with this root. (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS, EV Testing, PSM

    
  
Depends on: 856678

    
    

    
  
I have filed bug #856678 against NSS for the actual replacement.

I will file the PSM bug (for EV treatment) after Entrust confirms successful completion of EV-testing (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).

    
  
Whiteboard: EV - Approved - awaiting NSS, EV Testing, PSM → EV - Approved - In NSS 3.15, Firefox 23, awaiting EV Testing, PSM

    
    

    
  

      
      
      
      

        Attached image
          
        2048 EV Test.png
      

    


  

    
    

    
  
I was just about to start the next batch of EV changes, and noticed that this request is not quite ready -- the EV test cert is signed directly by the root.

If you would like this EV-enablement to be included in this batch, then please update this bug this week to let me know when the test site (with a correct EV chain) is available.

    
    

    
  
Hi Kathleen, this test site has been updated https://2048test.entrust.net with the test certificate issued from an intermediate CA.

Thanks, Bruce.

    
    

    
  
Output from EV Checking Tool:
// CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
"2.16.840.1.114028.10.1.2",
"EntrustCA2048",
SEC_OID_UNKNOWN,
{ 0x6D, 0xC4, 0x71, 0x72, 0xE0, 0x1C, 0xBC, 0xB0, 0xBF, 0x62, 0x58, 
  0x0D, 0x89, 0x5F, 0xE2, 0xB8, 0xAC, 0x9A, 0xD4, 0xF8, 0x73, 0x80, 
  0x1E, 0x0C, 0x10, 0xB9, 0xC8, 0x37, 0xD2, 0x1E, 0xB1, 0x77 },
"MIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3LmVudHJ1c3Qu"
"bmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMG"
"A1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50"
"cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp",
"OGPe+A==",
Success!

    
  
Depends on: 1102519

    
    

    
  
(In reply to Kathleen Wilson from comment #29)
> I will file the PSM bug (for EV treatment) after Entrust confirms successful
> completion of EV-testing
> (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).

I have filed Bug #1102519 for enabling EV treatment for this root.

    
  
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - In NSS 3.15, Firefox 23, awaiting EV Testing, PSM → EV - Approved - In NSS 3.15, Firefox 23, EV enabled in FF 36

    
  
Product: mozilla.org → NSS
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: