Closed Bug 1735407 Opened 3 years ago Closed 2 years ago

Replace Google Trust Services LLC (GTS) root certificates in NSS

Categories

(NSS :: CA Certificates Code, task, P1)

Product:
NSS
Component:
CA Certificates Code
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: jschanck)

References

Details

(Whiteboard: December 2021 Batch of Root Changes)

Attachments

(10 files)

GlobalSign-gsr4.pem
704 bytes, application/x-x509-ca-cert
Details
gtsr1.pem
1.87 KB, application/x-x509-ca-cert
Details
gtsr2.pem
1.87 KB, application/x-x509-ca-cert
Details
gtsr3.pem
765 bytes, application/x-x509-ca-cert
Details
gtsr4.pem
765 bytes, application/x-x509-ca-cert
Details
Bug 1735407 - Replace GlobalSign ECC Root CA R4 in NSS. r=KathleenWilson
48 bytes, text/x-phabricator-request
Details | Review
Bug 1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate in NSS. r=KathleenWilson
48 bytes, text/x-phabricator-request
Details | Review
Bug 1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate in NSS. r=KathleenWilson
48 bytes, text/x-phabricator-request
Details | Review
Bug 1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate in NSS. r=KathleenWilson
48 bytes, text/x-phabricator-request
Details | Review
Bug 1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate in NSS. r=KathleenWilson
48 bytes, text/x-phabricator-request
Details | Review

This bug requests inclusion in the NSS root store of the following root certificates owned by Google Trust Services LLC.

Please replace the existing version of these root certificates that are currently in NSS with these new root certificates, and also enable both the Email and Websites trust bits for all of them.

Friendly Name: GlobalSign ECC Root CA - R4
Cert Location: https://pki.goog/repo/certs/gsr4.pem
SHA-256 Fingerprint: B085D70B964F191A73E4AF0D54AE7A0E07AAFDAF9B71DD0862138AB7325A24A2
Trust Flags: Email; Websites
Test URL: https://good.gsr4demo.pki.goog/
Replaces Existing GlobalSign with SHA-256 Fingerprint: BEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C

Friendly Name: GTS Root R1
Cert Location: https://pki.goog/repo/certs/gtsr1.pem
SHA-256 Fingerprint: D947432ABDE7B7FA90FC2E6B59101B1280E0E1C7E4E40FA3C6887FFF57A7F4CF
Trust Flags: Email; Websites
Test URL: https://good.r1demo.pki.goog/
Replaces Existing GTS Root R1 with SHA-256 Fingerprint: 2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472

Friendly Name: GTS Root R2
Cert Location: https://pki.goog/repo/certs/gtsr2.pem
SHA-256 Fingerprint: 8D25CD97229DBF70356BDA4EB3CC734031E24CF00FAFCFD32DC76EB5841C7EA8
Trust Flags: Email; Websites
Test URL: https://good.r2demo.pki.goog/
Replaces Existing GTS Root R2 with SHA-256 Fingerprint: C45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60

Friendly Name: GTS Root R3
Cert Location: https://pki.goog/repo/certs/gtsr3.pem
SHA-256 Fingerprint: 34D8A73EE208D9BCDB0D956520934B4E40E69482596E8B6F73C8426B010A6F48
Trust Flags: Email; Websites
Test URL: https://good.r3demo.pki.goog/
Replaces Existing GTS Root R3 with SHA-256 Fingerprint: 15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5

Friendly Name: GTS Root R4
Cert Location: https://pki.goog/repo/certs/gtsr4.pem
SHA-256 Fingerprint: 349DFA4058C5E263123B398AE795573C4E1313C83FE68F93556CD5E8031B3C7D
Trust Flags: Email; Websites
Test URL: https://good.r4demo.pki.goog/
Replaces Existing GTS Root R4 with SHA-256 Fingerprint: 71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in bug #1675821

The next steps are as follows:

  1. A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificates have been attached.
  2. A Mozilla representative creates a patch with the new certificates.
  3. The Mozilla representative requests that another Mozilla representative review the patch.
  4. The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
  5. At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
Attached file GlobalSign-gsr4.pem
Attached file gtsr1.pem
Attached file gtsr2.pem
Attached file gtsr3.pem
Attached file gtsr4.pem
Depends on: 1733003
Whiteboard: December 2021 Batch of Root Changes

David, Please see step #1 above.

Confirmed. These are correct.

Assignee: nobody → jschanck
Status: NEW → ASSIGNED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: