Closed Bug 1505614 Opened 7 years ago Closed 7 years ago

Add Certigna Root CA root certificate to NSS

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Unassigned)

References

Details

(Whiteboard: In NSS 3.41, Firefox 65)

Attachments

(6 files)

certignarootca.der
1.59 KB, application/x-x509-ca-cert
Details
CERTIGNA SERVICES CA.pem
2.45 KB, application/octet-stream
Details
CERTIGNA WILD CA.pem
2.45 KB, application/octet-stream
Details
CERTIGNA IDENTITY PLUS CA.pem
2.46 KB, application/octet-stream
Details
CERTIGNA IDENTITY CA.pem
2.46 KB, application/octet-stream
Details
FR03.pem
2.31 KB, application/octet-stream
Details
Attached file certignarootca.der
This bug requests inclusion in the NSS root store of the following root certificate owned by Dhimyotis / Certigna. Friendly Name: Certigna Root CA Cert Location: http://autorite.dhimyotis.com/certignarootca.der SHA-1 Fingerprint: 2D0D5214FF9EAD9924017420476E6C852727F543 SHA-256 Fingerprint: D48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168 Trust Flags: Email; Websites Test URL: https://valid.servicesca.dhimyotis.com This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in bug #1265683. The next steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached. 2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox. 3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that websites work correctly. 4) The Mozilla representative requests that another Mozilla representative review the patch. 5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED. 6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
Josselin, Please see step #1 above.
Hello, Thank you for processing our request. We confirm that all the data in this bug is correct and that the correct certificate has been attached. Do not hesitate to contact us for further information, Best Regards,
Depends on: 1505899
Josselin, The test build is available here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=726a71039edcc1e835b2d7bce0f8d514e64c2091 Please test as described here: https://wiki.mozilla.org/CA/Application_Instructions#Test Then add a comment in this bug as soon as you have completed your testing.
Flags: needinfo?(j.allemandou)
Josselin, Please perform the testing requested in Comment #3 and update this bug as soon as possible, and within this week, so that we can catch the current NSS release train.
Hello, Please find below the first tests performed. We still have the Android part for which we have problems for their installation. - Linux opt B, BR, Bs OK - Linux x64 asan Bo, Bof OK - Linux x64 opt B, BR, Bb, Bs OK Linux x64 opt Bp, Btup No target.tar.bz2 Linux x64 opt AB Missing Certigna Root CA - Linux x64 NoOpt debug B OK - OS X Cross Compiled asan Bof OK - OS X Cross Compiled opt B OK OS X Cross Compiled opt Bs No target - OS X Cross Compiled NoOpt debug B OK - Windows 2012 pgo B, Bs OK - Windows 2012 opt B, BR, Bmsvc, Bs OK - Windows 2012 NoOpt debug B Bug, long time for response - Windows 2012 x64 pgo B, Bs OK - Windows 2012 x64 asan Bo OK - Windows 2012 x64 opt B, BR, Bmsvc, Bs, OK Windows 2012 x64 opt Bp No target - Windows 2012 x64 NoOpt debug B Bug, long time for response - Windows MinGW all WMC32, OK - Windows MinGW all WMC64, Option not available - Android 4.0 API16+ opt B, BnoGPSA4 OK - Android 4.2 x86 opt B, B Unsuccessful installation - Android 5.0 AArch64 opt B OK - Android 5.0 x86-64 opt B Unsuccessful installation - Gecko Decision Task opt D Could you tell us if the results of these last tests are necessary and if other actions have to be implemented. Best regards,
Flags: needinfo?(j.allemandou)
Hello Josselin. I see that you successfully tested on OS X and Windows. That is sufficient, because the root store changes are independent of platform. I'm not sure what determines which builds are available for the test build, but I will look into that and try to make the testing instructions more clear. Please make sure the intermediate cert data in the CCADB is correct for intermediate certs chaining up to this root. https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data Thanks!
Attached file FR03.pem
Hello We are trying to upload the information of some of our Intermediate CA certificates for this new root via the import of the PEM, but we encounter an error. It's certainly related to the fact that these intermediate CAs were signed by the old root "Certigna" already added on CCADB, and that the addition of the same CAs signed by our new Root "Certigna Root CA" created a duplication problem. The error is as follows: Error processing!! Please contact your administrator. Update failed. First exception on row 0 with id 0011J00001KNBjFQAX; first error: DUPLICATES_DETECTED, You're creating a duplicate Intermediate Certificate.Please make changes to the highlighted fields or use an existing record instead.: [] You will find the PEM files of CAs for which I have not been able to import the information, could you help me to resolve ths issue : CERTIGNA SERVICES CA https://bugzilla.mozilla.org/attachment.cgi?id=9025286 CERTIGNA WILD CA https://bugzilla.mozilla.org/attachment.cgi?id=9025287 CERTIGNA IDENTITY CA https://bugzilla.mozilla.org/attachment.cgi?id=9025289 CERTIGNA IDENTITY PLUS CA https://bugzilla.mozilla.org/attachment.cgi?id=9025288 FR03 https://bugzilla.mozilla.org/attachment.cgi?id=9025290 Thanks in advance for your help.
Josselin, there are already records for each of those intermediate certs in the CCADB, and the do correctly chain up to the "Certigna Root CA" record. You can see this by going to the "Certigna Root CA" record, https://ccadb.force.com/001o000000vmkmq Then scroll down to the "Account Hierarchy" section, and click on the "-" to close the list under the "Certigna" root. They will not show up in https://crt.sh/mozilla-disclosures until the root has been included in Mozilla's root store, and I have updated the status for the root cert record to indicate the inclusion.
Kathleen, thank you for your help. All intermediate authorities linked to this new root are declared in CCADB. Let us know if you need further information. Best regards
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.41, Firefox 65
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: