Add Microsoft root certificates to NSS
Categories
(NSS :: CA Certificates Code, enhancement, P1)
Tracking
(Not tracked)
People
(Reporter: kathleen.a.wilson, Assigned: jcj)
References
Details
Attachments
(4 files)
This bug requests inclusion in the NSS root store of the following root certificates owned by Microsoft Corporation.
Friendly Name: Microsoft RSA Root Certificate Authority 2017
Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
SHA-256 Fingerprint: ECDD47B5ACBFA328211E1BFF54ADEAC95E6991E3C1D50E27B527E903208040A1
Trust Flags: Websites
Test URL: https://actrsaroot2017.pki.microsoft.com/
Friendly Name: Microsoft ECC Root Certificate Authority 2017
Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt
SHA-256 Fingerprint: FEA1884AB3AEA6D0DBEDBE4B9CD9FEC8655116300A86A856488FC488BB4B44D2
Trust Flags: Websites
Test URL: https://acteccroot2017.pki.microsoft.com/
Friendly Name: Microsoft EV RSA Root Certificate Authority 2017
Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20EV%20RSA%20Root%20Certificate%20Authority%202017.crt
SHA-256 Fingerprint: DFB3C314740596AD5FB97960EF62AD7C1FCCEEAD16E74054652D1032E6F140EF
Trust Flags: Websites
Test URL: https://actrsaevroot2017.pki.microsoft.com/
Friendly Name: Microsoft EV ECC Root Certificate Authority 2017
Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crt
SHA-256 Fingerprint: 6AEA30BC02CA85AFCFEC2F65F60881893C926925FD0704BD8ADA3F0F6EDDB699
Trust Flags: Websites
Test URL: https://acteccevroot2017.pki.microsoft.com/
This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in bug #1448093
The next steps are as follows:
- A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificates have been attached.
- A Mozilla representative creates a patch with the new certificates, and provides a special test version of Firefox.
- A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificates have been correctly imported and that websites work correctly.
- The Mozilla representative requests that another Mozilla representative review the patch.
- The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
- At some time after that, various Mozilla products will move to using a version of NSS which contains the certificates. This process is mostly under the control of the release drivers for those products.
| Reporter | ||
Comment 1•6 years ago
|
||
| Reporter | ||
Comment 2•6 years ago
|
||
| Reporter | ||
Comment 3•6 years ago
|
||
| Reporter | ||
Comment 4•6 years ago
|
||
Comment 6•6 years ago
|
||
Thanks Kathleen. I can confirm that the data in this bug is correct and the correct certificates have been attached.
| Assignee | ||
Updated•6 years ago
|
Comment 7•6 years ago
|
||
https://crt.sh/?id=988218851&opt=zlint,cablint,x509lint
per Peter Gutmann's observation to m.d.s.policy, why are we seeing relatively new CA roots that fail lint checks?
My preference here would be for Microsoft to mint new root certs that fix the problem, but perhaps that's difficult for some reason?
Comment 8•6 years ago
|
||
Microsoft has filed bug 1598390 on this issue, so I suggest we discuss it there.
Comment 9•6 years ago
|
||
The four roots to be added to the Mozilla trusted root program can be found here:
http://www.microsoft.com/pkiops/certs/Microsoft ECC Root Certificate Authority 2017.crt
http://www.microsoft.com/pkiops/certs/Microsoft RSA Root Certificate Authority 2017.crt
http://www.microsoft.com/pkiops/certs/Microsoft EV ECC Root Certificate Authority 2017.crt
http://www.microsoft.com/pkiops/certs/Microsoft EV RSA Root Certificate Authority 2017.crt
I did not attach them to the bug above as they are similarly named and I did not want to create any confusion as the roots to be added.
Comment 10•6 years ago
|
||
The issue described in comments 7 and 8 has been resolved by signing new roots. I've confirmed that the linting errors are not present in the new versions of these roots. I recommend proceeding with the addition of these roots to NSS.
Comment 11•6 years ago
|
||
Hello,
Please update Test URI (2, 3 and 4) for this new root certs.
Andrew.
| Reporter | ||
Comment 12•6 years ago
|
||
To avoid confusion, I am going to create a new NSS bug after I have verified all of the necessary information for the newly minted version of these root certs.
Description
•