1588545 - X.509 https chain

Status: RESOLVED DUPLICATE of bug 438825

(CA Program :: CA Certificate Root Program, enhancement)

Description

[senji]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

Dear Sir/Madam,

I am writing in regard to a HTTPS Certificate belonging to our Parana State Press in Brazil.

We are facing HTTPS invalid certificate in https://www.documentos.dioe.pr.gov.br.
For this reason, we ask you to consider our X.509 belonging to ICP-Brasil (https://www.iti.gov.br/icp-brasil)

Thus, I look forward to hearing from you.

Yours Faithfully,
Renato

Comment 1

[Kathleen Wilson]

IC-Brasil is a Super-CA as described here:
https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Super-CAs

So their subordinate CAs may apply for inclusion of their certificate as a trust anchor.

Renato, please let Certisign Certificadora Digital (CERTISIGN-CA) know that they may apply for inclusion of their "AC Certisign G7" certificate as a trust anchor in Mozilla's root store, as described here:
https://wiki.mozilla.org/CA/Application_Process

However, in order to be accepted, they will have to be following the rules of Mozilla's Root Store Policy and the CA/Browser Forum Baseline Requirements, and getting the appropriate audits.
https://www.mozilla.org/about/governance/policies/security-group/certs/policy/
https://cabforum.org/baseline-requirements-documents/

Until then, you may have your customers manually import and trust that certificate or the ICP-Brasil root certificate.

PS: It looks like the website, https://www.documentos.dioe.pr.gov.br/, may also need to be updated to the support TLS 1.2 protocol.