Closed Bug 394733 Opened 18 years ago Closed 18 years ago

Add IdenTrust root CA certificate(s) to NSS

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.9

People

(Reporter: gerv, Assigned: KaiE)

References

Details

Attachments

(2 files)

DST Root CA X3
846 bytes, application/x-x509-ca-cert
Details
DST ACES CA X6
1.51 KB, application/x-x509-ca-cert
Details
This bug requests inclusion in the NSS root certificate store of the following certificate(s), owned by IdenTrust: 1) Friendly name: "DST Root CA X3" SHA1 Fingerprint: DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 Trust flags: Websites 2) Friendly name: "DST ACES CA X6" SHA1 Fingerprint: 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D Trust flags: Websites The certificate(s) themselves will be attached momentarily. This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate(s) approved for inclusion in bug 359069. The steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below. 2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly. 3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED. 4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products. Gerv
Attached file DST Root CA X3
Attached file DST ACES CA X6
CCing Ben and Travis; the next action is theirs. Gerv
Hi Gerv, The attatched certificates and sha1 fingerprints are correct. Our product team would like to see the following builds if possible: a. Windows XP b. Windows Vista c. Mac OS Thanks Gerv -Travis (In reply to comment #3) > CCing Ben and Travis; the next action is theirs. > > Gerv >
Hi Gerv, The attatched certificates and sha1 fingerprints are correct. Our product team would like to see the following builds if possible: a. Windows XP b. Windows Vista c. Mac OS Thanks Gerv -Travis (In reply to comment #3) > CCing Ben and Travis; the next action is theirs. > > Gerv >
As a follow up to (In reply to comment #0) below, I think we are awaiting a test build of NSS and the attachment of the nssckbi.dll file to this bug. Am I correct? > The steps are as follows: ... > 2) A Mozilla representative creates a test build of NSS with the new > certificate(s), and attaches nssckbi.dll to this bug. A representative of the > CA must download this, drop it into a copy of Firefox and/or Thunderbird on the > OS in question and confirm (by adding a comment here) that the certificate(s) > have been correctly imported and that websites work correctly.
Blocks: 411299
Please note that I plan to produce a single version of the nssckbi (module with roots) only, for Windows. I hope you will be able to do all your testing on Windows.
A Windows DLL is ready for testing. It should include the certs listed in this bug. Please click here to download it: attachment 295966 [details] You will download a zip file. Please extract the file. You will get a file named nssckbi.dll It should have a file size of 294912 bytes (technical detail: md5sum 6afef34fd2b6b1c3309e10b6f74bd158) In order to test, please get a build of Firefox 2.0.0.x for Windows. Install it. Quit Firefox. Then find the directory that contains nssckbi.dll Replace the file with the one you downloaded from this bug. Start Firefox. Open certificate manager. It should show your new certs.
Hi Kai, I have downloaded and installed the dll and both certs show in the cert store correctly. Will this be rolled out in the next version, or as a security patch? Thanks much, -Travis (In reply to comment #8) > A Windows DLL is ready for testing. > It should include the certs listed in this bug. > > Please click here to download it: attachment 295966 [details] > > You will download a zip file. > Please extract the file. > You will get a file named nssckbi.dll > It should have a file size of 294912 bytes (technical detail: md5sum > 6afef34fd2b6b1c3309e10b6f74bd158) > > In order to test, please get a build of Firefox 2.0.0.x for Windows. > Install it. > Quit Firefox. > Then find the directory that contains nssckbi.dll > Replace the file with the one you downloaded from this bug. > > Start Firefox. > Open certificate manager. > > It should show your new certs. >
(In reply to comment #9) > Hi Kai, I have downloaded and installed the dll and both certs show in the cert > store correctly. Will this be rolled out in the next version, or as a security > patch? Thanks much, Please note the following words are not a guarantee, but rather an expression of the current thinking. We try to minimize the number of times we drop new roots into NSS. This bug will be resolved as part of bug 402199, together with 2 other CAs (unless this results in a delay of several weeks, for whatever reasons). When completed, the new roots will become part of NSS 3.12 beta. A couple of weeks after that updated NSS beta probably will become part of the Firefox 3 beta nightly builds. Only after that event we might consider to drop the new roots into the stable branch of NSS 3.11.x and consider to drop a new snapshot of that branch into the stable Firefox 2.0.0.x series.
Frank, and representatives of the CA: I would like to propose one more detail for the verification steps. Please ensure that correct "trust flags" are assigned to each new root certificate. The requested trust flags are listed in the initial section of this bug report. When using certificate manager, you can use the "edit trust" button to display the categories which are currently trusted.
(In reply to comment #11) > Frank, and representatives of the CA: > > I would like to propose one more detail for the verification steps. > Please ensure that correct "trust flags" are assigned to each new root > certificate. > > The requested trust flags are listed in the initial section of this bug report. > When using certificate manager, you can use the "edit trust" button to display > the categories which are currently trusted. > Hi Kai, I have verified with our legal team that the Trust Flags for both DSTACES CA X6, and DST Root CA X3 are correct. Thanks much, -Travis
Is there any way our X3 and X6 roots can be placed ASAP (through any upcoming scheduled patches) in the stable builds of NSS 3.11.x and Firefox 2.0.0.x series? Is there anything we can do on our end to expedite this? It's critical for a number of Fortune 500 companies who are our customers and who use the certificates to secure communications.
I think this bug has been fixed with bug 411299, so marking it fixed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.11.9
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: