Closed Bug 1768970 Opened 3 years ago Closed 3 years ago

Add "Certainly Root R1" and "Certainly Root E1" root certificates to NSS

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: djackson)

References

Details

(Whiteboard: June 2022 batch of root changes)

Attachments

(3 files)

CertainlyRootR1.crt
1.32 KB, application/x-x509-ca-cert
Details
CertainlyRootE1.crt
507 bytes, application/x-x509-ca-cert
Details
Bug 1768970 - Add Certainly Roots. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review

This bug requests inclusion in the NSS root store of the following root certificates owned by Certainly LLC.

Friendly Name: Certainly Root R1
Cert Location: http://root-r1.certainly.com
SHA-1 Fingerprint: A050EE0F2871F427B2126D6F509625BACC8642AF
SHA-256 Fingerprint: 77B82CD8644C4305F7ACC5CB156B45675004033D51C60C6202A8E0C33467D3A0
Trust Flags: Websites
Test URL: https://valid.root-r1.certainly.com

Friendly Name: Certainly Root E1
Cert Location: http://root-e1.certainly.com/
SHA-1 Fingerprint: F9E16DDC0189CFD58245633EC5377DC2EB936F2B
SHA-256 Fingerprint: B4585F22E4AC756A4E8612A1361C5D9D031A93FD84FEBB778FA3068B0FC42DC2
Trust Flags: Websites
Test URL: https://valid.root-e1.certainly.com

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in bug #1727941

The next steps are as follows:

  1. A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificates have been attached.
  2. A Mozilla representative creates a patch with the new certificates.
  3. The Mozilla representative requests that another Mozilla representative review the patch.
  4. The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
  5. At some time after that, various Mozilla products will move to using a version of NSS which contains the certificates. This process is mostly under the control of the release drivers for those products.
Attached file CertainlyRootR1.crt
Attached file CertainlyRootE1.crt

Wayne, Please see step #1 above.

Flags: needinfo?(wthayer)
Blocks: 1727941
Depends on: 1764206
Whiteboard: June 2022 batch of root changes

Representing Certainly, I confirm that all the data in this bug is correct, and that the correct certificates have been attached.

Flags: needinfo?(wthayer)

Depends on D148824

https://hg.mozilla.org/projects/nss/rev/6307e75bedcece106d1dd84b0e906e964d81c6a5

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Assignee: nobody → djackson

Wayne, Please test in Firefox Nightly. I get errors when I try to browse to these test URLs, and I'm not seeing these errors for other websites.

Unable to connect
An error occurred during a connection to valid.root-e1.certainly.com.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Nightly is permitted to access the Web.

Flags: needinfo?(wthayer)

Hi Kathleen, those sites were experiencing some issues but should now be stable for your testing.

I have tested using those sites in Nightly in Windows 11 and macOS, and I am seeing something that I can't explain. When examining the certificate chain in Nightly, I see the r1 site chaining to the R1 root as expected. However, I see the e1 site chaining via the cross-cert to the Starfield G2 root. I think this could indicate a problem with the E1 root because I can't see anything in how the website is configured that would explain it. I also don't know how to force Firefox to ignore the cross-cert so that I can verify the E1 root.

Flags: needinfo?(wthayer) → needinfo?(kwilson)

(In reply to Wayne Thayer from comment #8)

Hi Kathleen, those sites were experiencing some issues but should now be stable for your testing.

Hi Wayne, In Firefox Nightly with a new profile, both test websites work as expected now.

I have tested using those sites in Nightly in Windows 11 and macOS, and I am seeing something that I can't explain. When examining the certificate chain in Nightly, I see the r1 site chaining to the R1 root as expected. However, I see the e1 site chaining via the cross-cert to the Starfield G2 root. I think this could indicate a problem with the E1 root because I can't see anything in how the website is configured that would explain it. I also don't know how to force Firefox to ignore the cross-cert so that I can verify the E1 root.

I'm seeing the e1 site chaining correctly to the E1 root cert.
Maybe you are using a profile that you have previously used to browse to the e1 test site using the cross-cert? I think if you Distrust the Starfield G2 root, that it will force Firefox to find the other chain.

Flags: needinfo?(kwilson)

(In reply to Kathleen Wilson from comment #9)

(In reply to Wayne Thayer from comment #8)
I'm seeing the e1 site chaining correctly to the E1 root cert.
Maybe you are using a profile that you have previously used to browse to the e1 test site using the cross-cert? I think if you Distrust the Starfield G2 root, that it will force Firefox to find the other chain.
That was the problem. With a new profile, the E1 test website works as expected, chaining to the E1 root. Using my exiting profile, I had to distrust both the Starfield G2 root and the older Starfield Class 2 root before it would properly build a chain to the Certainly E1 root when visiting https://valid.root-e1.certainly.com.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: