Add ACIN Global Trusted Sign root certificate
Categories
(NSS :: CA Certificate Root Program, task)
Tracking
(Not tracked)
People
(Reporter: info, Assigned: kwilson)
Details
(Whiteboard: [ca-verifying] - KW 2019-11-04 - Comment #16)
Attachments
(6 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160823121617 Steps to reproduce: We have implemented a new PKI with own Root and SubCA Actual results: In August 2017 we have been audited by APCER and GNS and have been sucessfully certified. At this moment we are already in the UE Trusted List - https://webgate.ec.europa.eu/tl-browser/#/tl/PT/0 Expected results: To have our root included as recognize in your browser.
|
Assignee | |
Comment 1•2 years ago
|
||
Acknowledging receipt of this root inclusion request. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process: https://wiki.mozilla.org/CA/Application_Process#Process_Overview In the meantime, please attach your completed BR Self Assessment to this bug. https://wiki.mozilla.org/CA/BR_Self-Assessment And provide all of the information listed here: https://wiki.mozilla.org/CA/Information_Checklist
|
|
Assignee | |
Comment 2•1 year ago
|
||
The status of this request is that we are waiting for the representative of the CA to provide the required information.
https://wiki.mozilla.org/CA/Information_Checklist#Example_and_Template
|
|
Assignee | |
Comment 5•1 year ago
|
||
I am not finding this CA in the Common CA Database (CCADB), so please fill out the Application for CCADB Access form here:
https://ccadb.org/cas/request-access#application-for-ccadb-access
|
|
Assignee | |
Comment 6•1 year ago
|
||
Thank you for filling in the CCADB Access form. You will receive email when the CCADB CA Community License is issued to you.
Then please create a Root Inclusion Case in the CCADB as described here:
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case
Hi
We submit the form in the 11-06 but until now we haven´t receive a confirmation submission or the License. The license takes how long ? should we submit the form again , just in case?
Best regards.
|
||
Comment 8•1 year ago
|
||
It appears that a license for this user was created on the same day. I just sent a password reset email - please check your bulk mail folder.
|
Reporter | |
Comment 10•1 year ago
|
||
Hi ,
We just noticed that our audit letter is coming to and end, and we already ask APCER to send us a new one. We have the renew process that we attach here but it is in english, can we submit to CCAB the original audit letter in portuguese and a translated payper, our we need to wait until the new audit letter arraived to submit ??
|
|
Reporter | |
Comment 11•1 year ago
|
||
|
|
Assignee | |
Comment 12•5 months ago
|
||
The link below shows the CA information that needs to be provided and verified. Search in the page for the word "NEED" to see where further clarification is requested.
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000463
To start with:
-
NEED: Full audit history for both root certificates. All audit statements must list the SHA256 thumbprints for all of the root and intermediate certificates that were in scope of the audit, and must meet the requirements of Mozilla's Root Store Policy
NEED: All audit statements must meet the requirements of sections 3.1.3 and 3.1.4 of Mozilla's Root Store Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ -
NEED: Documents to be taken into consideration must be provided in English and as PDF.
This CP URL does not seem to work:
https://pki.globaltrustedsign.com/index.php/home_c/download/PL11_EN
NEED DP02 in English
https://pki.globaltrustedsign.com/index.php/home_c/download/DP02 -
CP/CPS Structured According to RFC 3647
NEED: CP/CPS documents must be structured according to RFC 3647. This requirement is stated in section 2.2 of the CA/Browser Forum Baseline Requirements, with the effective of 31 May 2018.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647
CAA Domains listed in CP/CPS: NEED: CA's Certificate Policy and/or Certification Practice Statement ... shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS
Long-lived Certificates: 1 to 3 years, it will be revised as soon as possible.
NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Long-lived_Certificates
Non-Standard Email Address Prefixes for Domain Ownership Validation: This will be revised to explicity and added to DP02 13.3
NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Non-Standard_Email_Address_Prefixes_for_Domain_Ownership_Validation -
NEED: Add existing intermediate certificates to the CCADB, as described here:
https://www.ccadb.org/cas/intermediates#adding-intermediate-certificate-data -
NEED: URLs to the three test websites (valid, revoked, expired) whose TLS certs chain up to this root certificate. This is required per section 2.2 of the CA/Browser Forum Baseline Requirements. NEED: If you are requesting EV treatment, then the TLS cert for each test website must be EV.
NEED: Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.
NEED: If EV treatment is being requested, then provide successful output from EV Testing as described here https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
|
|
Assignee | |
Updated•5 months ago
|
|
|
Reporter | |
Comment 13•5 months ago
|
||
Hi
We are still waiting for the APCER issues the new audit statements as soon as we received we will sended to you.
In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA
CP/CPS
https://pki.globaltrustedsign.com/index.php/home_c/download/PL11
https://pki.globaltrustedsign.com/index.php/home_c/download/DP02
We will be updating the topic as soon as we have the other information requested.
Best Regards.
|
|
Assignee | |
Comment 14•4 months ago
|
||
(In reply to GTS from comment #13)
In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA
I see...
This request is for the inclusion of the "Global Trusted Sign Root Certification Authority 01" root certificate which has one subordinate CA, "Global Trusted Sign Certification Authority 01".
I will move the information for the subordinate CA to an intermediate certificate record in the CCADB, and then I will delete the extra root case that had been created with the subCA information.
We will be updating the topic as soon as we have the other information requested.
Please add a comment to this bug when all of the information requested in Comment #12 has been provided.
|
|
Reporter | |
Comment 15•4 months ago
|
||
Hi,
we send you the document that was missing from the original request.
If you need more information, please contact us
Regards
|
|
Assignee | |
Comment 16•4 months ago
|
||
(In reply to GTS from comment #15)
Created attachment 9104912 [details]
I1002_v2_EN_Audit letter eIDAS_SSL_10_2019.pdf
This audit statement appears to only be for the subordinate CA, and does not appear to meet Mozilla's requirements.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#31-audits
We need the full history of audit statements for the root and intermediate cert, as per
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History
And those audit statements must contain the information listed here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information
we send you the document that was missing from the original request.
If you need more information, please contact us
Please add a comment to this bug to reply to all of the items listed in Comment #12.
Also note that I ran some tests:
Revocation Tested: https://certificate.revocationcheck.com/gtsvalid.pt
http://ocsp.globaltrustedsign.com/ (GET)
Unexpected HTTP response: 400
ERROR: OCSP signing certificate does not contain the OCSP No Check extension
ERROR: Content-Type in response is not set to 'application/ocsp-response' but to 'application/ocsp-response;charset=UTF8'
Lint Tested: I ran https://crt.sh/lintcert on the SSL cert for https://gtsvalid.pt/ which resulted in these errors:
cablint ERROR BR certificates with CRL Distribution Point must include HTTP URL
zlint ERROR Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service
The CRL URL in the cert is https://pki.globaltrustedsign.com/subca/gts_subca_crl.crl but section 7.1.2.3 of the BRs require it to be http and not https.
EV Tested: https://tls-observatory.services.mozilla.com/static/ev-checker.html
https://gtsvalid.pt/
1.3.6.1.4.1.50302.1.1.2.2.1.0
exit status 1, Stderr: GetFirstEVPolicyForCert failed: SEC_ERROR_EXTENSION_NOT_FOUND This may mean that the specified EV Policy OID was not found in the end-entity certificate.
|
|
Reporter | |
Comment 17•1 month ago
|
||
Comment #12
Hi,
We submitting the new audit letter, for your evaluation.
Best Regards
Description
•