1752685 - Add CFCA Root Certificates

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task, P3)

Description

[bixinlong]

Attachment: CFCA CA Information.pdf

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0

Steps to reproduce:

China Financial Certification Authority (CFCA) is a compliance CA in China, we have been engaged in the CA business for over 20 years. We started SSL certificate services in 2012, we have only one root certificate(CFCA EV Root) now, the root certificate has passed the Microsoft Root Certificate program, Mozilla Root Certificate program, Apple Root Certificate program, Google Root Certificate program. CFCA EV Root certificate will expire in 2029, we built two new roots, plan to provide public trusted certificate service.

CFCA two new root certificate.
CFCA Global ECC ROOT
CFCA Global RSA ROOT

We apply to include the new root into the Mozilla Root Store Program, we attached the audit report, the links of the audit reports are availalbe on our main page https://www.cfca.com.cn.

More information can see CFCA CA Hierarchy and CFCA CA Information

Please kindly review our application.

Kind regards,
China Financial Certification Authority.

Comment 1

[bixinlong]

Attachment: CFCA CA Hierarchy.pdf

Comment 2

[bixinlong]

Attachment: CFCA_WTCA_EVSSL_SealFile.pdf

Comment 3

[bixinlong]

Attachment: CFCA_WTCA_SealFile.pdf

Comment 4

[bixinlong]

Attachment: CFCA_WTCA_SSLBR_SealFile.pdf

Comment 5

[Ben Wilson]

Can you please upload the two new root CA certificates here as attachments to this bug?

Comment 6

[bixinlong]

Attachment: CFCA Global RSA ROOT.cer

Comment 7

[bixinlong]

Attachment: CFCA Global ECC ROOT.cer

Comment 8

[bixinlong]

(In reply to Ben Wilson from comment #5)

Can you please upload the two new root CA certificates here as attachments to this bug?

Hi Ben，

I have uploaded the two new root CA certificates. Thanks.

Comment 9

[Ben Wilson]

I have created Root Inclusion Case No. 980 in the CCADB, see https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000980. Can you please go here in the CCADB - https://ccadb.force.com/5008Z00001vrZXsQAM, and update the information needed? You can email me separately if you have any questions when completing the information in the CCADB.

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Redirect a needinfo that is pending on an inactive user to the triage owner.
:kwilson, since the bug has high priority and recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 11

[Suhaib Mujahid [:suhaib]]

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.

Comment 12

[Suhaib Mujahid [:suhaib]]

Sorry, there was a problem with the detection of inactive users. I'm reverting the change.

Comment 13

[Ben Wilson]

The Baseline Requirements audit letter from Anthony Kam dated 27 October 2021 is confusing because there are two sets of audit periods. The audit letter contains a date of 1/22/2021 on pages 17, 18, 23, and 25, which causes ALV to treat the audit period start date as 1/22/2021. This raises the question about the period of time audit for these two root CAs, but I see they are covered for 21-Sept-2020 through 21-January-2021 by https://bug1752685.bmoattachments.org/attachment.cgi?id=9261403.

Comment 14

[Ben Wilson]

Applicant needs to complete information for each of the roots and provide test websites in the CCADB.
CFCA Global RSA ROOT - https://ccadb.force.com/a008Z00001QiQOKQA3
CFCA Global ECC ROOT - https://ccadb.force.com/a008Z00001QiQOJQA3

Comment 15

[bixinlong]

(In reply to Ben Wilson from comment #13)

The Baseline Requirements audit letter from Anthony Kam dated 27 October 2021 is confusing because there are two sets of audit periods. The audit letter contains a date of 1/22/2021 on pages 17, 18, 23, and 25, which causes ALV to treat the audit period start date as 1/22/2021. This raises the question about the period of time audit for these two root CAs, but I see they are covered for 21-Sept-2020 through 21-January-2021 by https://bug1752685.bmoattachments.org/attachment.cgi?id=9261403.

Hi Ben,
The two Root CA certificates, CFCA Global ECC ROOT and CFCA Global RSA ROOT, were issued on 21 September 2020. The supplemental audit report in the last seal file with the audit period from 21 September 2020 to 21 January 2021 and the supplemental audit report in the current seal file with the audit period from 22 January 2021 to 31 July 2021 were both for covering the audit requirements of the two new Root CAs. They are expected to be both combined into the original one year audit period coverage(1 August to 31 July the next year) later this year in 2022.

Comment 16

[bixinlong]

(In reply to Ben Wilson from comment #14)

Applicant needs to complete information for each of the roots and provide test websites in the CCADB.
CFCA Global RSA ROOT - https://ccadb.force.com/a008Z00001QiQOKQA3
CFCA Global ECC ROOT - https://ccadb.force.com/a008Z00001QiQOJQA3

I have updated some information including the test websites, but I am not sure whether it is comprehensive. If necessary, I can supplement it.

Comment 17

[Ben Wilson]

Thanks for updating the information. However, I get errors when trying to test the websites. Are you still working on configuring those?

Comment 18

[bixinlong]

(In reply to Ben Wilson from comment #17)

Thanks for updating the information. However, I get errors when trying to test the websites. Are you still working on configuring those?

Hi Ben,

We've configured the website, I use Chrome and Firefox test all the test websites, as the new root certificates(CFCA Global RSA ROOT and CFCA Global ECC root) have not include in the root store, the browsers does not trust the root certificates, so i need accept the risk. When i accept the risk, the websites can be accessed normally.
I'm not sure why there have some failed in CCADB, I don't know the test detection mechanism in CCADB. I have attach a file, it is my test results, hope it can be helpful to the test results.

Comment 19

[bixinlong]

Attachment: Websites Test Result.pdf

Comment 20

[Ben Wilson]

Is the chain with the Intermediate CAs being provided by the server for the test websites?
Have both intermediate CAs been uploaded to the CCADB? I don't see them in your CA hierarchy provided by the CCADB. Make sure to upload your intermediates to the CCADB.

One of the testing errors indicates, "certificate is invalid: Peer's Certificate issuer is not recognized.","Interpretation":"bad chain at leaf" and another error is "leaf is unauthorized by OCSP responder http://ocsp.cfca.com.cn/ocsp". There are other errors, too. You should also test CRLs and OCSP just for your intermediate CAs. Then, keep testing using the tool inside the CCADB ("Test Websites Validation") until you do not receive errors.

Still, more information needs to be provided in your inclusion case for me to be able to continue my review. For instance, have you completed the Compliance Self Assessment? See https://wiki.mozilla.org/CA/Compliance_Self-Assessment

Comment 21

[Gao Fei]

(In reply to Ben Wilson from comment #20)

Is the chain with the Intermediate CAs being provided by the server for the test websites?
Have both intermediate CAs been uploaded to the CCADB? I don't see them in your CA hierarchy provided by the CCADB. Make sure to upload your intermediates to the CCADB.

One of the testing errors indicates, "certificate is invalid: Peer's Certificate issuer is not recognized.","Interpretation":"bad chain at leaf" and another error is "leaf is unauthorized by OCSP responder http://ocsp.cfca.com.cn/ocsp". There are other errors, too. You should also test CRLs and OCSP just for your intermediate CAs. Then, keep testing using the tool inside the CCADB ("Test Websites Validation") until you do not receive errors.

Still, more information needs to be provided in your inclusion case for me to be able to continue my review. For instance, have you completed the Compliance Self Assessment? See https://wiki.mozilla.org/CA/Compliance_Self-Assessment

Hi Ben,

Both intermediate CAs have not been updated to CCADB. We will upload them as soon as possible.
In addition, for the errors you mentioned, we will check the causes of these errors and use the method you prompted to test.

Thanks,
Gao Fei

Comment 22

[Gao Fei]

Attachment: CFCA Global RSA ROOT NEW.cer

Comment 23

[Gao Fei]

Attachment: CFCA Global ECC ROOT NEW.cer

Comment 24

[Gao Fei]

Attachment: intermediate CAs.zip

Comment 25

[Gao Fei]

(In reply to Ben Wilson from comment #20)

Is the chain with the Intermediate CAs being provided by the server for the test websites?
Have both intermediate CAs been uploaded to the CCADB? I don't see them in your CA hierarchy provided by the CCADB. Make sure to upload your intermediates to the CCADB.

One of the testing errors indicates, "certificate is invalid: Peer's Certificate issuer is not recognized.","Interpretation":"bad chain at leaf" and another error is "leaf is unauthorized by OCSP responder http://ocsp.cfca.com.cn/ocsp". There are other errors, too. You should also test CRLs and OCSP just for your intermediate CAs. Then, keep testing using the tool inside the CCADB ("Test Websites Validation") until you do not receive errors.

Still, more information needs to be provided in your inclusion case for me to be able to continue my review. For instance, have you completed the Compliance Self Assessment? See https://wiki.mozilla.org/CA/Compliance_Self-Assessment

Hi Ben,

We have re-uploaded two new root certificates and both intermediate CAs in this case. Two new root certificates (CFCA Global RSA ROOT NEW.cer and CFCA Global ECC ROOT NEW.cer) need to replace the original root certificates (CFCA Global RSA ROOT.cer and CFCA Global ECC ROOT.cer) in this case. And, please help us update them to the CCADB.

Thanks,
Gao Fei

Comment 26

[Ben Wilson]

They are uploaded in the CCADB. You will need to complete the steps listed at https://www.ccadb.org/cas/updates and elsewhere.

Comment 27

[Gao Fei]

(In reply to Ben Wilson from comment #26)

They are uploaded in the CCADB. You will need to complete the steps listed at https://www.ccadb.org/cas/updates and elsewhere.

Hi Ben,

Thank you for your help, we will maintain the information as required as soon as possible.

thanks,
Gao Fei

Comment 28

[Ben Wilson]

The CCADB record (Case #980) indicates that CFCA withdrew this inclusion request. So I believe this Bugzilla matter should be closed, which I'll do on Wed. 10-Jan-2024, unless I hear otherwise.