If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Add SwissSign root CA certificates to NSS

RESOLVED FIXED in 3.11.9

Status

NSS
Libraries
--
enhancement
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: Frank Hecker, Assigned: kaie)

Tracking

unspecified
3.11.9

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
This bug requests inclusion in the NSS root certificate store of the following
certificates, owned by SwissSign:

1) Friendly name: "SwissSign Platinum CA - G2"
   SHA-1 fingerprint:
56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
   Trust flags: Email, Object signing
   URL:
http://swisssign.net/cgi-bin/authority/download?ca=50AFCC078715476F38C5B465D1DE95AAE9DF9CCC&into=browser

2) Friendly name: "SwissSign Gold CA - G2"
   SHA1 Fingerprint:
D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
   Trust flags: Web sites, Email, Object signing
   URL:
http://swisssign.net/cgi-bin/authority/download?ca=5B257B96A465517EB839F3C078665EE83AE7F0EE&into=browser

3) Friendly name: "SwissSign Silver CA - G2"
   SHA1 Fingerprint:
9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
   Trust flags: Web sites, Email, Object signing
   URL:
https://swisssign.net/cgi-bin/authority/download?ca=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8658&into=browser

The certificate(s) themselves will be attached momentarily, as downloaded from the URLs above. Note that I contacted SwissSign via telephone (using a telephone number obtained from third-party telephone directories and matching that on the SwissSign web site) and confirmed that the above SHA-1 fingerprints are correct for the certificates to be included. I will also send a signed email to the bug assignee confirming the fingerprints.

The SwissSign CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion per bug 343756.

The remaining steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached.

2) The Mozilla representative adds the certificate(s) to the store, and marks the bug RESOLVED FIXED.

3) When a development version of Firefox becomes available with the certs included, a representative of the CA must download a copy and confirm (by adding a comment here) that the certificates have been correctly imported. If this does not happen, the certificates will be removed again.

4) The bug is VERIFIED.
(Reporter)

Comment 1

10 years ago
Created attachment 292119 [details]
SwissSign Platinum CA - G2 root certificate
(Reporter)

Comment 2

10 years ago
Created attachment 292120 [details]
SwissSign Gold CA - G2 root certificate
(Reporter)

Comment 3

10 years ago
Created attachment 292123 [details]
SwissSign Silver CA - G2 root certificate
(Reporter)

Comment 4

10 years ago
All three SwissSign root CA certificates have now been added as attachments. I double-checked the SHA-1 fingerprints once more before adding.
OS: Mac OS X → All
Hardware: Macintosh → All
(Reporter)

Updated

10 years ago
Assignee: nobody → kengert

Comment 5

10 years ago
(In reply to comment #0)
> This bug requests inclusion in the NSS root certificate store of the following
> certificates, owned by SwissSign:
> 
> 1) Friendly name: "SwissSign Platinum CA - G2"
>    SHA-1 fingerprint:
> 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
>    Trust flags: Email, Object signing
>    URL:
> http://swisssign.net/cgi-bin/authority/download?ca=50AFCC078715476F38C5B465D1DE95AAE9DF9CCC&into=browser
> 
> 2) Friendly name: "SwissSign Gold CA - G2"
>    SHA1 Fingerprint:
> D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
>    Trust flags: Web sites, Email, Object signing
>    URL:
> http://swisssign.net/cgi-bin/authority/download?ca=5B257B96A465517EB839F3C078665EE83AE7F0EE&into=browser
> 
> 3) Friendly name: "SwissSign Silver CA - G2"
>    SHA1 Fingerprint:
> 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
>    Trust flags: Web sites, Email, Object signing
>    URL:
> https://swisssign.net/cgi-bin/authority/download?ca=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8658&into=browser
> 
> The certificate(s) themselves will be attached momentarily, as downloaded from
> the URLs above. Note that I contacted SwissSign via telephone (using a
> telephone number obtained from third-party telephone directories and matching
> that on the SwissSign web site) and confirmed that the above SHA-1 fingerprints
> are correct for the certificates to be included. I will also send a signed
> email to the bug assignee confirming the fingerprints.
> 
> The SwissSign CA has been assessed in accordance with the Mozilla project
> guidelines, and the certificates approved for inclusion per bug 343756.
> 
> The remaining steps are as follows:
> 
> 1) A representative of the CA must confirm that all the data in this bug is
> correct, and that the correct certificate(s) have been attached.
> 
> 2) The Mozilla representative adds the certificate(s) to the store, and marks
> the bug RESOLVED FIXED.
> 
> 3) When a development version of Firefox becomes available with the certs
> included, a representative of the CA must download a copy and confirm (by
> adding a comment here) that the certificates have been correctly imported. If
> this does not happen, the certificates will be removed again.
> 
> 4) The bug is VERIFIED.
> 


Hi,

I confirm, that the above certificates are the right ones.

Melanie Raemy
(Assignee)

Updated

10 years ago
Blocks: 411299
(Reporter)

Comment 6

10 years ago
My apologies, the procedure I outlined above is incorrect; thanks to Kai Engert for pointing me to the correct procedures. Melanie, thanks for confirming the certificate data; we now need to know the OS for which you will do testing (second part of step 1).

The steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
(Assignee)

Comment 7

10 years ago
Please note that I plan to produce a single version of the nssckbi (module with roots) only, for Windows. I hope you will be able to do all your testing on Windows. This will save me from doing extra work.

(Assignee)

Comment 8

10 years ago
A Windows DLL is ready for testing.
It should include the certs listed in this bug.

Please click here to download it: attachment 295966 [details]

You will download a zip file.
Please extract the file.
You will get a file named nssckbi.dll
It should have a file size of 294912 bytes (technical detail: md5sum 6afef34fd2b6b1c3309e10b6f74bd158)

In order to test, please get a build of Firefox 2.0.0.x for Windows.
Install it.
Quit Firefox.
Then find the directory that contains nssckbi.dll
Replace the file with the one you downloaded from this bug.

Start Firefox.
Open certificate manager.

It should show your new certs.

Comment 9

10 years ago
(In reply to comment #8)
> A Windows DLL is ready for testing.
> It should include the certs listed in this bug.
> 
> Please click here to download it: attachment 295966 [details]
> 
> You will download a zip file.
> Please extract the file.
> You will get a file named nssckbi.dll
> It should have a file size of 294912 bytes (technical detail: md5sum
> 6afef34fd2b6b1c3309e10b6f74bd158)
> 
> In order to test, please get a build of Firefox 2.0.0.x for Windows.
> Install it.
> Quit Firefox.
> Then find the directory that contains nssckbi.dll
> Replace the file with the one you downloaded from this bug.
> 
> Start Firefox.
> Open certificate manager.
> 
> It should show your new certs.
> 

Hi,

Thank you very much for your effort and explanations.
I could replace the nssckbi.dll file in the directory and it worked well.
The SwissSign Certificates were shown in the certificate manager of Firefox.
They appeared as "Builtin Object Token". 
I checked all three fingerprints and subjects and serial number etc. and these are the right ones.

Best regards,
Melanie Raemy
(Assignee)

Comment 10

10 years ago
Frank, and representatives of the CA:

I would like to propose one more detail for the verification steps.
Please ensure that correct "trust flags" are assigned to each new root certificate.

The requested trust flags are listed in the initial section of this bug report.
When using certificate manager, you can use the "edit trust" button to display the categories which are currently trusted.


In particular to this bug request, I want to point out:
The "platinum" root was added with no trust for web sites / ssl servers, as indicated in this bug.

Comment 11

10 years ago
(In reply to comment #10)
> Frank, and representatives of the CA:
> 
> I would like to propose one more detail for the verification steps.
> Please ensure that correct "trust flags" are assigned to each new root
> certificate.
> 
> The requested trust flags are listed in the initial section of this bug report.
> When using certificate manager, you can use the "edit trust" button to display
> the categories which are currently trusted.
> 
> 
> In particular to this bug request, I want to point out:
> The "platinum" root was added with no trust for web sites / ssl servers, as
> indicated in this bug.
> 

Hi, 

Thank you for your remark.
I verified now also the "trust flags", and they are correct.

Best Regards,
Melanie Raemy
(Assignee)

Comment 12

10 years ago
This was fixed by bug 411299
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Target Milestone: --- → 3.11.9
You need to log in before you can comment on or make changes to this bug.