1885354 - Hardcode intermediate addons stage cert

Status: RESOLVED FIXED

(Core :: Security: PSM, task, P1)

Description

[Rob Wu [:robwu]]

In order for the stage simulation to be as realistic as possible, we should hardcode the intermediate certificates in AppTrustDomain similar to what we do for production (introduced by https://hg.mozilla.org/mozilla-central/rev/c52835481c08 in bug 1549249).

The intermediate certificate of interest is cas-cur-intermediate-amo-2024-03-12.crt from bug 1882192.

Comment 1

[Rob Wu [:robwu]]

Attachment: Bug 1885354 - Hardcode intermediate addons-stage cert

Generated from the crt file from bug 1882192 with:

openssl x509 -inform PEM -in /tmp/cas-cur-intermediate-amo-2024-03-12.crt -outform DER -out security/manager/ssl/addons-stage-intermediate.crt

Comment 2

[Pulsebot]

Pushed by rob@robwu.nl:
https://hg.mozilla.org/integration/autoland/rev/a98160b49fad
Hardcode intermediate addons-stage cert r=jschanck

Comment 3

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/a98160b49fad

Comment 4

[Rob Wu [:robwu]]

Comment on attachment 9391477 [details]
Bug 1885354 - Hardcode intermediate addons-stage cert

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is necessary to realistically test the root CA succession on ESR115.
• User impact if declined: QA results with stage/dev server of AMO does not match the production behavior.
• Fix Landed on Version: 125
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Behavior is behind a preference and only reached by QA.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9391477 [details]
Bug 1885354 - Hardcode intermediate addons-stage cert

Approved for 115.10esr.

Comment 6

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/4116956f10fa