Closed
Bug 1048045
Opened 10 years ago
Closed 10 years ago
GlobalSign Partner: No SAN
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: him, Assigned: steve.roylance)
References
Details
Attachments
(1 file)
2.27 KB,
application/x-x509-ca-cert
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2106.0 Safari/537.36 Steps to reproduce: Looked for the SAN extension in the attached certificate. Actual results: Certificate does not contain a SAN extension. Expected results: As per 9.2.1 of CA/B Baseline Requirements, all end entity certificates must have the SAN extension.
Updated•10 years ago
|
Assignee: kwilson → steve.roylance
Blocks: BR-Compliance
Assignee | ||
Comment 1•10 years ago
|
||
GlobalSign has been running a Partner Program since January 1999. The program has changed over time to meet the demands of the changing environment for external CA operation. Occasionally some of those changes overlap and best practice moves to the next program where improvements are made. Whilst auditing helps to find and correct issues it does not always catch all issues in time. This is one of those examples. The "Virginia Tech Global Server CA" is now in revocation mode only. i.e. only issuing CRLs and has been replaced by a new Name Constrained CA - "Virginia Tech Global Qualified Server CA". This cross over took place in 2013 (March through to September to be exact). You can see the new CA in operation here https://www.vt.edu/ which has SANs and Name Constraints and is based on the new Program from GlobalSign 'Trusted Root' rather than the older program 'RootSign Partners'. GlobalSign will re-verify with the customer when the last Certificate was issued from the older system but looking at an audit report from Q1 this year it seems to be September 2013 with an expiry of Feb 2016. Although an infringement of the Baseline Requirements was made with the old program it was not deemed 'critical' therefore older certificates without SANs were not replaced ahead of their normal expiry. There are currently 428 certificates still alive and 115 of those have SANs included (i.e. Where multiple DNS names were needed). That figure is now 100% for the new CA (From March 2013 onwards), therefore I hope this blocking bug can be closed down as the necessary corrective actions have been made and moving forward the CA is compliant.
Assignee | ||
Comment 2•10 years ago
|
||
My apologies, the expiry of the last certificate is September 2015, not Feb 2016 as stated above. This is in line with previous communications with Mozilla staff on expiry of CRL only issuing CAs Subject: CN=VetWebAP.vetmed.vt.edu,OU=vetmed,O=Virginia Polytechnic Institute and State University,L=Blacksburg,ST=Virginia,DC=vt,DC=edu,C=US Issuer: CN=Virginia Tech Global Server CA,OU=Global Server CA,O=Virginia Tech,C=US Fingerprint (SHA-1): D9:78:4C:A4:BB:40:06:97:75:36:96:41:22:87:F5:4C:2F:5D:C7:41 Serial: 6C:58:1C:B3:9F:F0:32:85 Valid Until: 13-SEP-2015 13:30:41 GMT
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•