Open Bug 2031663 Opened 2 months ago Updated 2 months ago

ACCV: Transition Plan for Existing Root

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: jamador, Assigned: bwilson)

Details

(Whiteboard: [transition-plan])

Steps to reproduce:

ACCV: Transition Plan for Existing Roots

This is the transition plan drawn up by ACCV (Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)) for the migration from ACCVRAIZ1 to the new dedicated hierarchies:

ACCV ROOT RSA TLS 2024 | CA RAÍZ (Vigente hasta 26/01/2049)

ACCV ROOT ECC TLS 2024 | CA RAÍZ (Vigente hasta 26/01/2049)

in compliance with Mozilla's Root Store Policy, sections 7.5 (requirement to transition multipurpose roots to single-purpose hierarchies) and 7.4 (Root CA Lifecycles for lifecycle-based trust bit removal).

According to Mozilla's published Root CA Lifecycle schedule, a root generated in 2011, such as "ACCVRAIZ1", is scheduled to have its websites trust bit removed on April 15, 2028.

In order to adjust the transition approach, so that TLS certificates issued under "ACCVRAIZ1" continue to be trusted, ACCV requests that the TLS trust bit for the existing self-signed root CA included in the Mozilla Root Store be maintained until December 31, 2028. This will ensure an adequate transition period towards the new TLS hierarchy submitted for inclusion under CCADB CASE ID: 00002687 (in revision process).

1. Summary

  • CA Owner CCADB unique ID: A000032
  • CA Operator: Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)
  • Root affected:
    • Name: ACCVRAIZ1
    • Subject: C = ES,O = ACCV,OU = PKIACCV,CN = ACCVRAIZ1
    • SHA-256 fingerprint: 9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113

2. Current State

"ACCVRAIZ1" is a Root CA and it is currently used to issue only TLS, the subordinate CA "ACCV RSA1 TLS" is issuing end-entities web authentication certificates, and it is set to expire on December 01, 2030.

Root certificate details:

  • Name: ACCVRAIZ1
  • Key size/algorithm: RSA 4096 bits
  • Trust bit enabled: Websites
  • Validity period:
    • No after: 2030-12-31

Subordinate CA certificate details:

  • Name: ACCV RSA1 TLS
  • SHA-256 fingerprint: 11F9571C30C2DE232753D5B158C54F77B0A02DFF417135752D32E98B89BC9719
  • Key size/algorithm: RSA 4096 bits
  • Case uses: TLS server authentication, TLS client authentication
  • End-entity certificates: Organization Validated
  • Validity period:
    • Not after: 2030-12-01

3. New Dedicated Single Purpose Hierarchy

Root certificate details (1):

  • Name: ACCV ROOT RSA TLS 2024
  • SHA-256 fingerprint: B40BFA8880A02F93025643C6DBBD39DF194A2854D076E167A2BD8467CF9E2C34
  • Key size/algorithm: RSA 4096 bits
  • Generation date: 2024-02-27
  • Validity period:
    • Not before: 2024-02-27
    • Not after: 2049-01-26

Subordinate CA certificate details(1):

  • Name: ACCV RSA1 TLS
  • SHA-256 fingerprint: 346440CF7674A529305545563322FCFB38F5A4B3F1E7E852DFF8A4B7A5EF72D1
  • Key size/algorithm: RSA 4096 bits
  • Case uses: TLS server authentication, TLS client authentication
  • End-entity certificates: Organization Validated
  • Validity period:
    • Not before: 2024-02-27
    • Not after: 2039-02-23

Root certificate details (2):

  • Name: ACCV ROOT ECC TLS 2024
  • SHA-256 fingerprint: 79CD55455296ADFB55CDF0DBE9176985A0B503C544276C5A9305F2EC9B66693A
  • Key size/algorithm: ECC secp384r1
  • Generation date: 2024-02-27
  • Validity period:
    • Not before: 2024-02-27
    • Not after: 2049-01-26

Subordinate CA certificate details(2):

  • Name: ACCV ECC1 TLS
  • SHA-256 fingerprint: 93C087AB9331B74C0FCCCE11BC61FB9FA6D432077D8F1018194FA4CCA664D781
  • Key size/algorithm: ECC secp384r1
  • Case uses: TLS server authentication, TLS client authentication
  • End-entity certificates: Organization Validated
  • Validity period:
    • Not before: 2024-02-27
    • Not after: 2039-02-23

The audit was carried out in accordance with Webtrust for CA and Webtrust BR standards.

4. Timeline and Milestones

  • February 27, 2024: The key ceremony for the new Roots CA and subordinates CA was held.
  • February 13, 2025: ACCV disclosed dedicated TLS root certificates in CCADB (case 00002252)
  • July 1, 2025: Create cross subordinate ACCV RSA1 TLS to complete chain
  • July 10, 2025: Disclosed cross subordinate ACCV RSA1 TLS to complete chain
  • July 25, 2025: Initial audits were completed
  • September 12, 2025: Submission of the new roots inclusion request in CCADB and Bugzilla (case 00002687).
  • December 09, 2025: The issuance of new TLS server certificates is migrated to the new dedicated hierarchy. Single-purpose "ACCV RSA1 TLS" starts TLS issuance.
  • December 2026: Expiration of remaining end-entity certificates
    Natural expiration of TLS certificates issued shortly before the cessation date.
  • 2026 - 2028: The time required for the new roots to be incorporated in major Root Stores (Mozilla, Chrome, Microsoft, Apple).
  • December 2028: Removal / "distrustAfter" for ACCVRAIZ1.

5. Migration Strategy

ACCV is issuing certificates using the cross-subordinate ACCV RSA1 TLS, so that the cross-chain can be used once the new root certificates have been added to the repositories. There are still active certificates from previous subordinates, but they will all expire before the end of 2026.

At ACCV, we are ready to make the change to the root of trust, pending the inclusion of the certificates in the stores.

Assignee: nobody → bwilson
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [transition-plan]
Type: defect → task
You need to log in before you can comment on or make changes to this bug.