Add CFCA Root Certificates
Categories
(CA Program :: CA Certificate Root Program, task, P3)
Tracking
(Not tracked)
People
(Reporter: bixinlong, Assigned: bwilson, NeedInfo)
Details
(Whiteboard: [ca-initial] BW 2022-07-26 Comment #14)
Attachments
(11 files)
86.37 KB,
application/pdf
|
Details | |
176.89 KB,
application/pdf
|
Details | |
2.17 MB,
application/pdf
|
Details | |
2.80 MB,
application/pdf
|
Details | |
2.17 MB,
application/pdf
|
Details | |
1.41 KB,
application/x-x509-ca-cert
|
Details | |
600 bytes,
application/x-x509-ca-cert
|
Details | |
2.21 MB,
application/pdf
|
Details | |
1.42 KB,
application/x-x509-ca-cert
|
Details | |
611 bytes,
application/x-x509-ca-cert
|
Details | |
10.20 KB,
application/zip
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Steps to reproduce:
China Financial Certification Authority (CFCA) is a compliance CA in China, we have been engaged in the CA business for over 20 years. We started SSL certificate services in 2012, we have only one root certificate(CFCA EV Root) now, the root certificate has passed the Microsoft Root Certificate program, Mozilla Root Certificate program, Apple Root Certificate program, Google Root Certificate program. CFCA EV Root certificate will expire in 2029, we built two new roots, plan to provide public trusted certificate service.
CFCA two new root certificate.
CFCA Global ECC ROOT
CFCA Global RSA ROOT
We apply to include the new root into the Mozilla Root Store Program, we attached the audit report, the links of the audit reports are availalbe on our main page https://www.cfca.com.cn.
More information can see CFCA CA Hierarchy and CFCA CA Information
Please kindly review our application.
Kind regards,
China Financial Certification Authority.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
Can you please upload the two new root CA certificates here as attachments to this bug?
(In reply to Ben Wilson from comment #5)
Can you please upload the two new root CA certificates here as attachments to this bug?
Hi Ben,
I have uploaded the two new root CA certificates. Thanks.
Assignee | ||
Comment 9•2 years ago
|
||
I have created Root Inclusion Case No. 980 in the CCADB, see https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000980. Can you please go here in the CCADB - https://ccadb.force.com/5008Z00001vrZXsQAM, and update the information needed? You can email me separately if you have any questions when completing the information in the CCADB.
Comment hidden (off-topic) |
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment hidden (off-topic) |
Comment 12•2 years ago
|
||
Sorry, there was a problem with the detection of inactive users. I'm reverting the change.
Assignee | ||
Comment 13•2 years ago
•
|
||
The Baseline Requirements audit letter from Anthony Kam dated 27 October 2021 is confusing because there are two sets of audit periods. The audit letter contains a date of 1/22/2021 on pages 17, 18, 23, and 25, which causes ALV to treat the audit period start date as 1/22/2021. This raises the question about the period of time audit for these two root CAs, but I see they are covered for 21-Sept-2020 through 21-January-2021 by https://bug1752685.bmoattachments.org/attachment.cgi?id=9261403.
Assignee | ||
Comment 14•2 years ago
|
||
Applicant needs to complete information for each of the roots and provide test websites in the CCADB.
CFCA Global RSA ROOT - https://ccadb.force.com/a008Z00001QiQOKQA3
CFCA Global ECC ROOT - https://ccadb.force.com/a008Z00001QiQOJQA3
Assignee | ||
Updated•2 years ago
|
Reporter | ||
Comment 15•2 years ago
|
||
(In reply to Ben Wilson from comment #13)
The Baseline Requirements audit letter from Anthony Kam dated 27 October 2021 is confusing because there are two sets of audit periods. The audit letter contains a date of 1/22/2021 on pages 17, 18, 23, and 25, which causes ALV to treat the audit period start date as 1/22/2021. This raises the question about the period of time audit for these two root CAs, but I see they are covered for 21-Sept-2020 through 21-January-2021 by https://bug1752685.bmoattachments.org/attachment.cgi?id=9261403.
Hi Ben,
The two Root CA certificates, CFCA Global ECC ROOT and CFCA Global RSA ROOT, were issued on 21 September 2020. The supplemental audit report in the last seal file with the audit period from 21 September 2020 to 21 January 2021 and the supplemental audit report in the current seal file with the audit period from 22 January 2021 to 31 July 2021 were both for covering the audit requirements of the two new Root CAs. They are expected to be both combined into the original one year audit period coverage(1 August to 31 July the next year) later this year in 2022.
Reporter | ||
Comment 16•2 years ago
|
||
(In reply to Ben Wilson from comment #14)
Applicant needs to complete information for each of the roots and provide test websites in the CCADB.
CFCA Global RSA ROOT - https://ccadb.force.com/a008Z00001QiQOKQA3
CFCA Global ECC ROOT - https://ccadb.force.com/a008Z00001QiQOJQA3
I have updated some information including the test websites, but I am not sure whether it is comprehensive. If necessary, I can supplement it.
Assignee | ||
Comment 17•2 years ago
|
||
Thanks for updating the information. However, I get errors when trying to test the websites. Are you still working on configuring those?
Reporter | ||
Comment 18•2 years ago
|
||
(In reply to Ben Wilson from comment #17)
Thanks for updating the information. However, I get errors when trying to test the websites. Are you still working on configuring those?
Hi Ben,
We've configured the website, I use Chrome and Firefox test all the test websites, as the new root certificates(CFCA Global RSA ROOT and CFCA Global ECC root) have not include in the root store, the browsers does not trust the root certificates, so i need accept the risk. When i accept the risk, the websites can be accessed normally.
I'm not sure why there have some failed in CCADB, I don't know the test detection mechanism in CCADB. I have attach a file, it is my test results, hope it can be helpful to the test results.
Reporter | ||
Comment 19•2 years ago
|
||
Assignee | ||
Comment 20•2 years ago
|
||
Is the chain with the Intermediate CAs being provided by the server for the test websites?
Have both intermediate CAs been uploaded to the CCADB? I don't see them in your CA hierarchy provided by the CCADB. Make sure to upload your intermediates to the CCADB.
One of the testing errors indicates, "certificate is invalid: Peer's Certificate issuer is not recognized.","Interpretation":"bad chain at leaf" and another error is "leaf is unauthorized
by OCSP responder http://ocsp.cfca.com.cn/ocsp". There are other errors, too. You should also test CRLs and OCSP just for your intermediate CAs. Then, keep testing using the tool inside the CCADB ("Test Websites Validation") until you do not receive errors.
Still, more information needs to be provided in your inclusion case for me to be able to continue my review. For instance, have you completed the Compliance Self Assessment? See https://wiki.mozilla.org/CA/Compliance_Self-Assessment
Comment 21•2 years ago
|
||
(In reply to Ben Wilson from comment #20)
Is the chain with the Intermediate CAs being provided by the server for the test websites?
Have both intermediate CAs been uploaded to the CCADB? I don't see them in your CA hierarchy provided by the CCADB. Make sure to upload your intermediates to the CCADB.One of the testing errors indicates, "certificate is invalid: Peer's Certificate issuer is not recognized.","Interpretation":"bad chain at leaf" and another error is "leaf is
unauthorized
by OCSP responder http://ocsp.cfca.com.cn/ocsp". There are other errors, too. You should also test CRLs and OCSP just for your intermediate CAs. Then, keep testing using the tool inside the CCADB ("Test Websites Validation") until you do not receive errors.Still, more information needs to be provided in your inclusion case for me to be able to continue my review. For instance, have you completed the Compliance Self Assessment? See https://wiki.mozilla.org/CA/Compliance_Self-Assessment
Hi Ben,
Both intermediate CAs have not been updated to CCADB. We will upload them as soon as possible.
In addition, for the errors you mentioned, we will check the causes of these errors and use the method you prompted to test.
Thanks,
Gao Fei
Comment 22•2 years ago
|
||
Comment 23•2 years ago
|
||
Comment 24•2 years ago
|
||
Comment 25•2 years ago
|
||
(In reply to Ben Wilson from comment #20)
Is the chain with the Intermediate CAs being provided by the server for the test websites?
Have both intermediate CAs been uploaded to the CCADB? I don't see them in your CA hierarchy provided by the CCADB. Make sure to upload your intermediates to the CCADB.One of the testing errors indicates, "certificate is invalid: Peer's Certificate issuer is not recognized.","Interpretation":"bad chain at leaf" and another error is "leaf is
unauthorized
by OCSP responder http://ocsp.cfca.com.cn/ocsp". There are other errors, too. You should also test CRLs and OCSP just for your intermediate CAs. Then, keep testing using the tool inside the CCADB ("Test Websites Validation") until you do not receive errors.Still, more information needs to be provided in your inclusion case for me to be able to continue my review. For instance, have you completed the Compliance Self Assessment? See https://wiki.mozilla.org/CA/Compliance_Self-Assessment
Hi Ben,
We have re-uploaded two new root certificates and both intermediate CAs in this case. Two new root certificates (CFCA Global RSA ROOT NEW.cer and CFCA Global ECC ROOT NEW.cer) need to replace the original root certificates (CFCA Global RSA ROOT.cer and CFCA Global ECC ROOT.cer) in this case. And, please help us update them to the CCADB.
Thanks,
Gao Fei
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 26•2 years ago
|
||
They are uploaded in the CCADB. You will need to complete the steps listed at https://www.ccadb.org/cas/updates and elsewhere.
Assignee | ||
Updated•2 years ago
|
Comment 27•2 years ago
|
||
(In reply to Ben Wilson from comment #26)
They are uploaded in the CCADB. You will need to complete the steps listed at https://www.ccadb.org/cas/updates and elsewhere.
Hi Ben,
Thank you for your help, we will maintain the information as required as soon as possible.
thanks,
Gao Fei
Updated•2 years ago
|
Assignee | ||
Comment 28•4 months ago
|
||
The CCADB record (Case #980) indicates that CFCA withdrew this inclusion request. So I believe this Bugzilla matter should be closed, which I'll do on Wed. 10-Jan-2024, unless I hear otherwise.
Assignee | ||
Updated•4 months ago
|
Assignee | ||
Updated•3 months ago
|
Description
•