Add National Certification Authority of Sri Lanka root certificates
Categories
(CA Program :: CA Certificate Root Program, task, P5)
Tracking
(Not tracked)
People
(Reporter: priyankara, Assigned: bwilson)
Details
(Whiteboard: [ca-initial] - BW Comment #11 2021-01-07)
Attachments
(6 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
|
Reporter | |
Comment 1•6 years ago
|
||
Hello, I am writing on behalf of Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT). Sri Lanka CERT is currently on the progress of setting up National Certification Authority of Sri Lanka.
We are planing to perform on our Web Trust Audit on next month and we are keen to know what steps to be followed in order to embed our CA Root Certificate to Mozilla browsers.
|
||
Updated•6 years ago
|
|
|
Reporter | |
Updated•6 years ago
|
|
||
Comment 2•6 years ago
|
||
(In reply to Priyankara Perera from comment #1)
Hello, I am writing on behalf of Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT). Sri Lanka CERT is currently on the progress of setting up National Certification Authority of Sri Lanka.
We are planing to perform on our Web Trust Audit on next month and we are keen to know what steps to be followed in order to embed our CA Root Certificate to Mozilla browsers.
Mozilla's root inclusion process is described here:
https://wiki.mozilla.org/CA/Application_Process
Most of the required information can be provided directly in the Common CA Database, and you can request access to the CCADB as described here:
https://ccadb.org/cas/request-access
CAs with access to the CCADB may create a Root Inclusion Case as described here:
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case
IMPORTANT: Whenever you update data in your Root Inclusion Case in the CCADB, be sure to add a comment to your Bugzilla Bug to let folks know to re-check the information.
|
|
||
Updated•6 years ago
|
|
|
Reporter | |
Comment 3•6 years ago
|
||
Dear Kathleen,
We apologize for the late update. Currently, we are on the process of obtaining the web trust certification for our Root CA and wish to submit all related documents soon, as specified in the Mozilla guidelines.
We are planning to have two subordinate CAs under our Root CA and We would like to know if there are any kind of guidelines/specifications to be followed by Subordinate CAs in order to comply with the Mozilla.
Thank you.
Regards,
Priyankara.
|
|
||
Comment 4•6 years ago
|
||
(In reply to Priyankara Perera from comment #3)
We are planning to have two subordinate CAs under our Root CA and We would like to know if there are any kind of guidelines/specifications to be followed by Subordinate CAs in order to comply with the Mozilla.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#53-intermediate-certificates
https://www.ccadb.org/policy#51-audit-statement-content
https://www.ccadb.org/cas/intermediates
https://wiki.mozilla.org/CA/Subordinate_CA_Checklist
|
Assignee | |
Comment 5•5 years ago
|
||
Dear Priyankara,
Please provide us an update on the status of your root and audit. Do you still have interest in pursuing this matter with Mozilla?
Thanks,
Ben
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 6•5 years ago
|
||
I don't believe that we have received any response to our inquiry. I intend to close this bug on or about 1-Nov-2020 unless the applicant contacts us and informs us that they intend to pursue this application for root inclusion.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 7•5 years ago
|
||
Dear Ben,
Extremely sorry for the late reply.
Even though we have completed the Root Key Generation of National Certification Authority of Sri Lanka on 14th February 2020, We are still on the process of obtaining the web trust seal from our web trust auditor.
Hence, appreciate if you can keep the ticket open.
We will submit the required documents at our earliest.
Thank you.
Regards,
Priyankara.
|
|
Assignee | |
Comment 8•5 years ago
|
||
Dear Priyankara,
Could you please provide an update on your audit progress?
Thanks,
Ben
|
|
Reporter | |
Comment 9•5 years ago
|
||
Dear Ben,
We are still on the process of obtaining the web trust seal from our web trust auditor (BDO Malaysia).
Due to COVID-19, we are getting slow response from the auditor.
Kindly provide us a extension of few weeks...
Thanks you.
Regards,
Priyankara.
|
|
Reporter | |
Comment 10•5 years ago
|
||
Dear Ben,
We have successfully completed Point In Time Audit.
Meanwhile we have requested the CCADB Access.
Regards,
Priyankara.
|
|
Assignee | |
Comment 11•5 years ago
|
||
Terrific news. Thanks. Let me know if you have any trouble following any of the instructions on starting a new root case in the CCADB.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 12•4 years ago
|
||
|
|
Reporter | |
Comment 13•4 years ago
|
||
|
|
Reporter | |
Comment 14•4 years ago
|
||
|
|
Reporter | |
Comment 15•4 years ago
|
||
The case number in CCADB Forum is 00000716
|
|
Assignee | |
Comment 16•4 years ago
|
||
I am looking at the Root CA Certificate with serial number 00D72F8C0575516C8C000000005E464B0D (downloaded from https://nca.gov.lk/index.php/Main/certificates). When our system calculates the SHA256 hash of the Root CA certificate we get: 57D705F10BA0EE4E26338EE8E799F202817CEE2DD3FB67459639B632B80763B4.
But the PIT audit lists a SHA256 hash of b67b4fc8ea3c1bbe27b40d613754352904c1164bf6b61fe03aa28c489a5ad1c6.
Was this SHA256 hash calculated by you or your auditor incorrectly?
|
|
Assignee | |
Comment 17•4 years ago
|
||
Priyankara,
Go to this URL, https://ccadb.force.com/5004o00000JaJU2AAN, and click on the blue "Print NEED Fields" button under "Mozilla Additional Requirements" to see what fields you need to work on, enter data into, and complete. Please let me know when you've made any progress.
Thanks,
Ben
|
|
Assignee | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 18•4 years ago
|
||
(In reply to Ben Wilson from comment #16)
I am looking at the Root CA Certificate with serial number 00D72F8C0575516C8C000000005E464B0D (downloaded from https://nca.gov.lk/index.php/Main/certificates). When our system calculates the SHA256 hash of the Root CA certificate we get: 57D705F10BA0EE4E26338EE8E799F202817CEE2DD3FB67459639B632B80763B4.
But the PIT audit lists a SHA256 hash of b67b4fc8ea3c1bbe27b40d613754352904c1164bf6b61fe03aa28c489a5ad1c6.
Was this SHA256 hash calculated by you or your auditor incorrectly?
Dear Ben,
We calculated the SHA256 checksum of the ".pem" version of the root certificate (cacert.pem) during the root key generation ceremony. However, the NCA web site (https://nca.gov.lk/index.php/Main/certificates) contains the ".der" version of the root certificate (cacert.der).
The PIT audit contains the SHA256 checksum of the ".pem" version belongs to the Root Certificate.
Regards,
Priyankara.
|
|
Assignee | |
Comment 19•4 years ago
|
||
Can you make sure this gets corrected to the SHA256 hash of the DER version?
Thanks,
Ben
|
|
Reporter | |
Comment 20•4 years ago
|
||
Dear Ben,
We have submitted necessary documents to our auditor; in order to update the DER version of SHA256 hash in the PiT audit report.
We will share the updated PiT audit report as soon as possible.
Regards,
Priyankara.
|
|
Reporter | |
Comment 21•4 years ago
|
||
|
|
Reporter | |
Comment 22•4 years ago
|
||
|
|
Reporter | |
Comment 23•4 years ago
|
||
|
|
Reporter | |
Comment 24•4 years ago
|
||
Dear Ben,
We have attached updated (version 2) PiT reports which contains SHA256 hash of the DER version.
Regards,
Priyankara.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 25•4 years ago
|
||
Do you now have the period of time audit for the period 2/14/2020 through 2/13/2021?
|
|
Assignee | |
Comment 26•4 years ago
|
||
Also, when you get a chance, please review the Baseline Requirements Self-assessment (https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing) and the common findings that I make when reviewing CPs and CPSes - https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21 - and then update your CP and CPS accordingly.
|
|
Assignee | |
Comment 27•4 years ago
|
||
Do you have any updated information?
|
|
Assignee | |
Comment 28•3 years ago
|
||
Sent applicant inquiring about availability of audit reports
|
|
Assignee | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 29•3 years ago
|
||
We are in the process of conducting the POT audit at the moment and the auditor is expecting to visit Sri Lanka at the end of March 2022.
Further, one of the Sri Lankan organization is in the progress of being qualified as a licensed CSP at the moment. Moreover, we will open a ticket in Bugzilla to clarify our delay with the assistance of the auditor, at our earliest.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 30•3 years ago
|
||
Dear All,
We are in the process of onboarding subordinate CA under our root CA.
Hopefully we would be able to onboard one sub CA by April 2023 and continue with this long delayed certificate inclusion request.
|
|
Reporter | |
Comment 31•1 year ago
|
||
Dear All,
Kindly close this ticket as new Root CA is setting up for this requirement.
Will will open a separate ticket for new Root CA.
Regards,
Priyankara.
Description
•