Closed
Bug 562395
Opened 14 years ago
Closed 14 years ago
Add Camerfirma root certificates to NSS
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
Details
Attachments
(2 files)
This bug requests inclusion in the NSS root certificate store of the following certificates, owned by Camerfirma. Friendly name: Chambers of Commerce Root - 2008 Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339325 SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c Trust flags: Websites, Email, Code Signing Test URL: https://server1.camerfirma.com:8081/ Friendly name: Global Chambersign Root - 2008 Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339324 SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c Trust flags: Websites, Email, Code Signing Test URL: https://server2.camerfirma.com:8082/ This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion in bug #406968. The next steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below. 2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly. 3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED. 4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Comment 2•14 years ago
|
||
Ramiro, Please see step #1 above.
Comment 3•14 years ago
|
||
Kathleenç I have confirmed the above information. Do you need anything else ? Regards
Reporter | ||
Comment 4•14 years ago
|
||
Thanks for confirming that the data in this bug is correct. Root inclusions are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months. At some point in the next 3 months a test build will be provided and this bug will be updated to request that you test it. Since you are cc'd on this bug, you will get notification via email when that happens.
Reporter | ||
Comment 5•14 years ago
|
||
Ramiro, both of the test websites listed above are currently failing for me with error: sec_error_ocsp_invalid_signing_cert Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP and resolve this ASAP. Please also add testing of your OCSP service using the Firefox browser with OCSP enforced to your standard testing procedures from now on so that it doesn't break again in the future.
Comment 6•14 years ago
|
||
Hi Kathleen our problem with the test sites is that the certificates are expired so we have to renew certificates, sorry for that. We will fix the problem as soon as posible, we are on hollyday period so we can take more time that usual. Regards
Comment 7•14 years ago
|
||
It might be also beneficial to understand how you came into the position to reuse serial numbers as per your own accounts in bug 582531.
Comment 8•14 years ago
|
||
It was just an error in the certification proces. We use to issue subca cartificates in a manual ceremony and a wrong configuraron file was uses. This Ca do not issue enduser certificates anymore We will replace valid end user certificates .
Reporter | ||
Comment 9•14 years ago
|
||
As per https://bugzilla.mozilla.org/show_bug.cgi?id=582531#c8 Camerfirma has made procedural changes to ensure that they don't make the mistake of reusing serial numbers again when issuing intermediate CAs.
Reporter | ||
Comment 10•14 years ago
|
||
The new test websites for these roots are as follows. Note that these websites are currently on servers that are used by Camerfirma developers for testing purposes, so it is possible that at times these may be temporarily offline. -- Chambers of Commerce Root – 2008 -- https://server1.camerfirma.com:8081 Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2: (This is the OID for OV certs) https://www.camerfirma.com Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2 (This is the EV Policy OID) I have successfully browsed to both of these websites in Firefox with OCSP enforced. The SSL certs fo both of these sites chain up to the intermediate CA “Camerfirma Corporate Server – 2009”. The AIA for both the end-entity certs and the intermediate cert has OCSP: URI: http://ocsp.camerfirma.com Note: The CA hierarchy for “Chambers of Commerce Root – 2008” is a little different than I described in https://bugzilla.mozilla.org/show_bug.cgi?id=406968#c92. Express Corporate Server and Corporate Server EV was in the old hierarchy. In the new, 2008, hierarchy the subCA "Corporate Server 2009" issues both OV and EV certificates with different Policy OID. -- Global Chambersign Root – 2008 -- https://server2.camerfirma.com:8082 Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2 (This is the OID for OV certs) https://server3.camerfirma.com Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2 (This is the EV Policy OID) I have successfully browsed to both of these websites in Firefox with OCSP enforced. The SSL certs chain up to “RACER – 2009”, which is signed by “AC Camerfirma – 2009”, which is signed by this root. The AIA for the end-entity and intermediate certs all have OCSP: URI: http://ocsp.camerfirma.com
Assignee | ||
Comment 11•14 years ago
|
||
Current test builds (Mozilla experimental) for various platforms can be found at http://stage.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-b725b0fd279e/ Please note the builds at above location will be automatically deleted after two weeks, so please make copies if you need them. Please test and confirm that your roots have been added correctly, with the correct trust flags (use certificate manager, find your cert, click "view" to see the trust flags). (Please note, if you have asked for enabling EV, that's not yet done, and will be a separate step.)
Comment 12•14 years ago
|
||
I have tested but https://server3.camerfirma.com and https://www.camerfirma.com that should be mark as EV do not show the green mark. Regards Ramiro
Assignee | ||
Comment 13•14 years ago
|
||
Ramiro, please read the last paragraph of comment 11.
Comment 14•14 years ago
|
||
OK, sorry for my confusion. I have update minefield this morning and suddenly roots Global Chambersign Root - 2008 Chambers of Commerce Root - 2008 have desapiered from the store any problem ? Regards Ramiro
Assignee | ||
Comment 15•14 years ago
|
||
I will look into your comment 14 shortly. So, I've tried to connect to https://www.camerfirma.com/ with the roots enabled. I get an error message. I think your server is not configured correctly. I think you must install the required intermediate certificates on your server. I found your server certificate points to http://www.camerfirma.com/certs/camerfirma_cserver-2009 I tried to fetch the intermediate cert from that location, but unfortunately, that URL is broken, it gives me a 404 not found error... Please fix your server cert configuration. Please fix your cert issue process. I guess you should not issue certs that point to invalid locations. Your server at https://server3.camerfirma.com/ works for me.
Assignee | ||
Comment 16•14 years ago
|
||
(In reply to comment #14) > I have update minefield this morning and suddenly roots > Global Chambersign Root - 2008 > Chambers of Commerce Root - 2008 > have desapiered from the store I can't confirm this. Do you still see it? Do you see it with "kai's test build" or with "general minefield nightly"?
Comment 17•14 years ago
|
||
Kai I already fixed the server (intermediate CA) and the link. It was an error issuing the test certificate in the AIA sice the name file extention in the URL is missed. I will issue a new test certificate, meanwhile I have published the file with no extention. I hope everything is ok now. Regards Ramiro
Assignee | ||
Comment 18•14 years ago
|
||
I made a new testbuild, now it includes the patch to enable roots for EV. http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/ I've learned that tryserver builds are automatically deleted quickly, after 4 days. I've mirrored the most important files here: http://kuix.de/mozilla/tryserver-roots-20101125/
Assignee | ||
Comment 19•14 years ago
|
||
(In reply to comment #17) > > I already fixed the server (intermediate CA) and the link. > It was an error issuing the test certificate in the AIA sice the name file > extention in the URL is missed. I will issue a new test certificate, meanwhile > I have published the file with no extention. I confirm, you have fixed https://www.camerfirma.com/ I can connect on initial attempt with a fresh profile. So, here is my request to you, according with first comment in this bug, section (2): Ramiro: Please confirm that your root certificate(s) are correctly added to the NSS root store. In particular, please make sure that the certificate have the correct trust flags. You can use Firefox preferences / advanced / encryption / certificates / edit-trust to look at the trust flags. Once you have confirmed, we are ready to add your certs to NSS. (There is still a problem regarding EV. But we must discuss remaining EV problems in bug 562399, not here).
Comment 20•14 years ago
|
||
Sorry again. I confirm that the roots certificates are ok and also the trust flags are ok. Thank you
Assignee | ||
Comment 21•14 years ago
|
||
Fixed by bug 613394
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•