Open Bug 1628720 Opened 2 years ago Updated 8 months ago

Add E-Tugra Root Certificates RSA v3 / ECC v3


(NSS :: CA Certificate Root Program, task, P2)


(Not tracked)



(Reporter: dtokgoz, Assigned: bwilson)


(Whiteboard: [ca-cps-review] BW 2021-04-01)


(3 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

Steps to reproduce:

E-Tugra would like to add two new roots to NSS/Mozilla Root Store. Self-assessment checklist, CCADB Root Inclusion Case Numbers are 576, 577.

Type: enhancement → task
Ever confirmed: true
Whiteboard: [ca-initial]

The Ceremony Report signed by Qualified Auditor is uploaded at .

Questions to resolve include: corporate good standing, audit with SHA2 hashes of roots included, and test websites. Next step is to review BR self-assessment.

Assignee: kwilson → bwilson
Whiteboard: [ca-initial] → [ca-verifying] BW 2020-08-11
Whiteboard: [ca-verifying] BW 2020-08-11 → [ca-verifying] BW 2020-08-11 - Need Test Websites

Here is the CCADB information for this inclusion request:
Additional items need to be completed in the CCADB. Here is an initial list of “Needs”, for each of the roots (RSA and ECC):
1- An explanation of why the root certificate needs to be included in the root store
2- The unique function of each root, since the request includes multiple roots
3- A public URL through which each root certificate can be directly downloaded.
4- 3 test websites (valid, expired, revoked) whose TLS/SSL certificate chains up to each root.
5- A test of the valid certificate with
6- Evidence of a lint test to verify that no certificates issued in each CA hierarchy violate any of the CA/Browser Forum Baseline Requirements (BRs) (e.g. )
7- Evidence of a test to verify that no certificates issued in this CA hierarchy violate the X.509 rules. (e.g.
8- Successful output from EV Testing as described here
9- Description of PKI Hierarchy (URL and/or Description of each PKI Hierarchy).
10- Details related to any of PKI hierarchy check-boxes that are selected
11- Records in the CCADB for all existing intermediate certificates (
12- Constraints placed on any External SubCAs & RAs
13- Requested Mozilla-Applied Constraints, if any

Flags: needinfo?(dtokgoz)
Whiteboard: [ca-verifying] BW 2020-08-11 - Need Test Websites → [ca-verifying] BW 2020-08-12 - See Comment 3 for Needed Info
Attached image EVControl For RSA v3
Attached image EVControl For ECC v3
Flags: needinfo?(dtokgoz)
Attachment #9170359 - Attachment description: EVControl For RSA → EVControl For RSA v3

All Missing parts are completed except item 7. It will be completed as soon as possible.
For Item 8, the screenshots is attached.

All missing parts are completed in CCADB records.

Never mind. I see that the BR Self-Assessment and the CPS match on methods under

Flags: needinfo?(dtokgoz)

There are two items I'd like to see happen before I move this into the queue for CP/CPS Review--(1) the annual audit for 2020 should include the two new roots and (2) the CPS should be brought current with version 1.7.1 of the Baseline Requirements.

Flags: needinfo?(dtokgoz)

Etugra 2020 annual audit was completed on between Sep 21st-25th by LSTI. We will post it whenever audit letter is ready. We reported this delay on

The Audit Letter was issued and placed on .
We summited it on root inclusion case (576) in CCADB. But some errors existing when validation AL. Both Auditors and we could not solve them. Can you review the problem to pass AL submit phase?

These were fixed with version 5 of the attestation letter, but it is no longer located here:

Priority: -- → P2

I notify the Auditor company. Please get it from until they fix it.

Whiteboard: [ca-verifying] BW 2020-08-12 - See Comment 3 for Needed Info → [ca-cps-review] BW 2021-04-01
You need to log in before you can comment on or make changes to this bug.