Repasting Comment 7 from Bug 1649943 here, which is relevant: > We maintain dates for the issuance of ICA certificate with the same keys and without the EKU OCSP Signing, which we attach, and for the revocation of current certificates with EKU OCSP Signing. > > We will ask this week to add to OneCRL the current ICA certificates and the new ones, except INFRAESTRUCTURA, as a mitigation means for OneCRL clients. > > Issuance of new certificates with new keys: estimated week of July 27, 2020. > > Clarifications: > * Firmaprofesional has exclusive control of the private keys of all the CAs that are part of its hierarchy and thus declares it in its CPS > * None of the affected ICA certificates of Firmaprofesional has the keyUsage digitalSignature > * Only the ICA INFRASTRUCTURE issues SSL certificates. > * The new INFRASTRUCTURE certificate with new keys will be the first in a series of CA Intermedia (ICA) certificates aimed at issuing secure server certificates that will follow this scheme: > ** The ICA certificate will last no more than 3 years. > ** ICA certificates will be renewed annually, with new keys > ** For easier identification of the certificates, the year of issue will be added to the certificate, for example "AC FIRMAPROFESIONAL - Secure Web 2020"
Bug 1651637 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Repasting Comment 7 from Bug 1649943 here, which is relevant: > We maintain dates for the issuance of ICA certificate with the same keys and without the EKU OCSP Signing, which we attach, and for the revocation of current certificates with EKU OCSP Signing. > > We will ask this week to add to OneCRL the current ICA certificates and the new ones, except INFRAESTRUCTURA, as a mitigation means for OneCRL clients. > > Issuance of new certificates with new keys: estimated week of July 27, 2020. > > Once the new certificates appear in the Spanish TSL (this is a requirement for most of our clients who also rely in the TSL), we will begin the rollover of the still valid leaf certificates to the new ICA certificates with new key pairs and when the rollover is completed: revocation of the ICA certificates with the same keys and key destruction ceremony. > > Clarifications: > * Firmaprofesional has exclusive control of the private keys of all the CAs that are part of its hierarchy and thus declares it in its CPS > * None of the affected ICA certificates of Firmaprofesional has the keyUsage digitalSignature > * Only the ICA INFRASTRUCTURE issues SSL certificates. > * The new INFRASTRUCTURE certificate with new keys will be the first in a series of CA Intermedia (ICA) certificates aimed at issuing secure server certificates that will follow this scheme: > ** The ICA certificate will last no more than 3 years. > ** ICA certificates will be renewed annually, with new keys > ** For easier identification of the certificates, the year of issue will be added to the certificate, for example "AC FIRMAPROFESIONAL - Secure Web 2020"