Add National Certification Authority of Sri Lanka TLS Root CA - G1
Categories
(CA Program :: CA Certificate Root Program, task, P4)
Tracking
(Not tracked)
People
(Reporter: mahinda, Assigned: bwilson)
Details
(Whiteboard: [ca-initial] [ccadb-case-00003162])
Attachments
(1 file)
|
1.17 MB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Steps to reproduce:
We are requesting the inclusion of our Root CA certificate in the Mozilla Root Store.
CA Name:
National Certification Authority of Sri Lanka TLS Root CA - G1
Organization:
Sri Lanka CERT
CA Background:
We are the national Root Certification Authority of Sri Lanka, operated by Sri Lanka CERT. Our CA supports national digital infrastructure including government services, digital identity, and secure electronic transactions.
We are seeking inclusion in the Mozilla Root Store to enable trusted TLS communication for our services and users.
CCADB URL:
https://ccadb.my.salesforce.com/500TO00000kFsQbYAK
Root Certificate:
https://nca.gov.lk/wp-content/uploads/certificates/root_ca-tls.der
SHA-256 Fingerprint:
173CF0179612EF44B 4491127DF9CD24EA6 8B745388903569164 3B26C4E511F37
Hierarchy:
The root CA is maintained offline. Certificate issuance is performed via subordinate/intermediate CAs.
Certificate Types:
TLS (Server Authentication)
Intended Usage:
Publicly trusted TLS certificates.
Audit Information:
- Audit Type: WebTrust
- Audit Period: 05/15/2025 – 08/31/2025
- Audit Report URL:
https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=d20a82f1-042d-4b1a-8420-946eae93e225
https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=786bb97b-c36a-4ec8-9c70-8c7032584b2f
https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=36ca1639-c0ac-458a-afc6-5e7ebc314797
CP/CPS:
https://nca.gov.lk/policies/CP_CPS.pdf
Revocation Information:
- OCSP URL: http://ocsp.nca.gov.lk.tls/
- CRL URL: https://nca.gov.lk/wp-content/uploads/crl/root_ca-tls.crl
Certificate Transparency:
We support Certificate Transparency logging and provide SCTs for issued TLS certificates.
Additional Information:
The audit timing explanation (audit report issued more than 90 days after audit period end) was previously reviewed and accepted in Bug https://bugzilla.mozilla.org/show_bug.cgi?id=2031062
Actual results:
This is a new request for the inclusion of our Root CA certificate. No prior inclusion request has been submitted for this root.
Expected results:
We request that Mozilla review our Root CA for inclusion in the Mozilla Root Store.
|
Assignee | |
Updated•24 days ago
|
|
|
Assignee | |
Updated•24 days ago
|
|
|
Assignee | |
Comment 1•23 days ago
|
||
Mozilla has performed an initial review of the information submitted in the CCADB and identified several items requiring clarification and additional information before further review can proceed.
The application indicates that the hierarchy will include Externally Operated Subordinate CAs. This raises operational, compliance, and oversight considerations that must be addressed as part of the inclusion process. For reference:
- https://wiki.mozilla.org/CA/Subordinate_CA_Checklist
- https://wiki.mozilla.org/CA/External_Sub_CAs
- https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#84-externally-operated-subordinate-cas
In addition, the application currently requests enablement of Mozilla’s websites trust bit. If NCA intends this hierarchy to issue publicly-trusted TLS certificates, it needs to update the application materials to include all required TLS-related information, including:
- TLS Domain Validation methods
- Automated issuance information
- Public test infrastructure URL
- Test websites as required by section 2.2 of the TLS BRs
Also, NCA needs to provide a Value Statement meeting the requirements described here: https://wiki.mozilla.org/CA/Quantifying_Value
|
Reporter | |
Comment 2•23 days ago
|
||
Thank you for the review and observations provided regarding our inclusion request.
The National Certification Authority of Sri Lanka (NCA) Root CA hierarchy has been established, including one registered subordinate CA under the NCA Root CA framework.
The subordinate CA has completed Key Generation Ceremony (KGC) activities and audit processes; however, it has not yet been registered in CCADB. The subordinate CA is currently intended for document signing purposes only and is not operating for publicly trusted TLS certificate issuance at this stage.
Accordingly, public TLS issuance infrastructure, automated issuance operations, and public test websites are not yet operational at this stage.
We are also in the process of preparing the requested Value Statement and additional operational documentation for future submission.
In the future, NCA intends to establish and operate subordinate CA services directly under the NCA Root CA governance framework as part of the continued development of Sri Lanka’s national PKI infrastructure.
Given the current onboarding and pre-operational status of the hierarchy, we kindly request guidance regarding the appropriate next steps and expectations for continuing the inclusion review process at this stage.
Thank you for your guidance and support.
|
|
Assignee | |
Comment 3•22 days ago
|
||
We would recommend that the NCA create purpose-specific roots and maintain separate hierarchies, each separate for document signing, email, TLS, and other purposes.
|
|
Reporter | |
Comment 4•19 days ago
|
||
Thank you for the clarification and recommendation.
For clarification, NCA maintains separate root hierarchies for different trust services. The root certificate currently under review, National Certification Authority of Sri Lanka TLS Root CA - G1, is dedicated to TLS services.
At present, no publicly trusted TLS subordinate CA has been activated under this hierarchy, and public TLS certificate issuance operations have not yet commenced. As a result, TLS-related operational components such as domain validation processes, automated issuance systems, public test infrastructure, and test websites are not yet available.
The TLS hierarchy is currently in the onboarding and operational readiness phase. NCA intends to establish the necessary TLS subordinate CA infrastructure and supporting validation services prior to commencing public TLS certificate issuance.
Given the current pre-operational status of the TLS hierarchy, we would appreciate guidance regarding the information that should be provided at this stage of the review process and whether certain TLS operational requirements may be submitted once the TLS subordinate CA becomes active
Description
•