X.509 https chain
Categories
(CA Program :: CA Certificate Root Program, enhancement)
Tracking
(Not tracked)
People
(Reporter: renatosen, Assigned: kathleen.a.wilson)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Steps to reproduce:
Dear Sir/Madam,
I am writing in regard to a HTTPS Certificate belonging to our Parana State Press in Brazil.
We are facing HTTPS invalid certificate in https://www.documentos.dioe.pr.gov.br.
For this reason, we ask you to consider our X.509 belonging to ICP-Brasil (https://www.iti.gov.br/icp-brasil)
Thus, I look forward to hearing from you.
Yours Faithfully,
Renato
Updated•5 years ago
|
Assignee | ||
Comment 1•5 years ago
|
||
IC-Brasil is a Super-CA as described here:
https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Super-CAs
So their subordinate CAs may apply for inclusion of their certificate as a trust anchor.
Renato, please let Certisign Certificadora Digital (CERTISIGN-CA) know that they may apply for inclusion of their "AC Certisign G7" certificate as a trust anchor in Mozilla's root store, as described here:
https://wiki.mozilla.org/CA/Application_Process
However, in order to be accepted, they will have to be following the rules of Mozilla's Root Store Policy and the CA/Browser Forum Baseline Requirements, and getting the appropriate audits.
https://www.mozilla.org/about/governance/policies/security-group/certs/policy/
https://cabforum.org/baseline-requirements-documents/
Until then, you may have your customers manually import and trust that certificate or the ICP-Brasil root certificate.
PS: It looks like the website, https://www.documentos.dioe.pr.gov.br/, may also need to be updated to the support TLS 1.2 protocol.
Updated•2 years ago
|
Description
•