Closed Bug 1596154 Opened 6 years ago Closed 6 years ago

Digicert-issued, experimental-subcerts-extension certificate needed for enabled.dc.crypto.mozilla.org

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jcj, Assigned: jlaz)

References

Details

CryptoEng needs to have issued a certificate for enabled.dc.crypto.mozilla.org that contains the extension for draft-ietf-tls-subcerts [0], to be hosted by Cloudflare for the Delegated Credentials tests [1] (Bug 1580053, Bug 1574029).

We can probably have Cloudflare generate a CSR for this certificate, or could simply send them the private key. Assuming the former, I will attach a CSR here as soon as I get it.

The SAN can be just the single name, enabled.dc.crypto.mozilla.org.

That said, the long part of this will be doing whatever dance with Digicert is necessary to get this custom certificate issued. I think Cloudflare can probably give us a POC who's already familiar - please reach out to me and I'll do my best to connect you directly.

[0] 1.3.6.1.4.1.44363.44, NOT critical, from https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/
[1] https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/

Assignee: server-ops-webops → jlaz
Status: NEW → ASSIGNED
Depends on: 1596181

Let me know if you need to talk to folks at Digicert directly. I have good direct contacts we can use to do custom issuances.

The SSL certificate bundle has been generated with the extension mentioned above. I'll need a contact to securely send the bundle to, which we can sort out in bug 1596181

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.