Closed Bug 1400030 Opened 4 years ago Closed 4 years ago

Remove old Certum CA Root certificate

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

References

Details

(Whiteboard: Removed in NSS 3.34, Firefox 58)

Please remove the following root certificate from NSS. 

Common Name: Certum CA
Issuer Organization: Unizeto Sp. z o.o.
SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24

* NOT enabled for EV treatment.

From the CA: the root (Certum CA) is our "old" CA and we don't have any SHA-2 Sub-CA under this root
Depends on: 1408080
Certum CA is still used today for S/MIME certificates. Is removing it from NSS may cause any problems for our customers when they use Mozilla's email clients?
(In reply to Arkadiusz Ławniczak from comment #1)
> Certum CA is still used today for S/MIME certificates. Is removing it from
> NSS may cause any problems for our customers when they use Mozilla's email
> clients?

The only Mozilla email client that I am aware of is Thunderbird. It is possible that when your clients install future versions for Thunderbird they will need to manually install your root cert.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: Removed in NSS 3.34, Firefox 58
So why Mozilla wants to remove this root from NSS? I don't see any reason to doing this. Please note that a group of Thunderbird users is not a small circle of people. Many of our customers use Thunderbird and installing Root CA manually would be not acceptable. Moreover Certum CA root has been audited this year to show that we maintain the expected level of services and also to permit Certum CA to issue SHA1 S/MIME certificates (that are not within the scope of the Baseline Requirements). 
Although S/MIME certificates are in scope of Mozilla Root Policy, I do not see that Certum CA does not comply with the requirements of this policy.
I have filed Bug #1418678 to add this root cert back to NSS (with only the Email trust bit set).
You need to log in before you can comment on or make changes to this bug.