Closed Bug 418907 Opened 17 years ago Closed 17 years ago

Add Trustwave SecureTrust CA and Secure Global CA root CA certificates to NSS


(NSS :: Libraries, defect)

Not set


(Not tracked)



(Reporter: hecker, Assigned: KaiE)




(3 files)

his bug requests inclusion in the NSS root certificate store of the following two root CA certificates, owned by Trustwave:

1) Friendly name: "SecureTrust CA"
   SHA-1 fingerprint:
   Trust flags: Web sites, Object signing

2) Friendly name: "Secure Global CA"
   SHA1 Fingerprint:
   Trust flags: Web sites, Email, Object signing

The certificate(s) themselves will be attached momentarily, as downloaded from
the URLs above and verified using the stated fingerprints.

The SecureTrust CA and Secure Global CA have been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion per bug 409837 and bug 409838.

The remaining steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate(s). This process is mostly under
the control of the release drivers for those products.
Blocks: 418910
Assignee: nobody → kengert
Attached patch preliminary codeSplinter Review
No patch yet, I hope to combine the work for this patch with additional CA inclusions (soon), but here is what I already produced for testing, so it saves me some work later.

addbuiltin -n "SecureTrust CA" -t C,,C < p-418907-ca1.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt

addbuiltin -n "Secure Global CA" -t C,C,C < p-418907-ca2.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
Depends on: 425469
Dear Trustwave representatives, you have not yet confirmed the information listed in this bug is correct.

I went ahead and included your certificate in a test build anyway.
Please read bug 425469 comment 3 to find the binary roots module for testing and follow Frank's requests given in this tracking bug.

Adding your roots to Mozilla/NSS is blocked pending your confirmation that everything is correct.

Please do not forget to verify the trust flags are correct.
Kai -
Sorry for the delay.  All seems to be good technically, but would it be possible to group the three Trustwave CAs under Trustwave as opposed to where it is currently:
1)secureglobal CA (SGCA) and securetrust CA (STCA) under securetrust 2)xramp CA (XGCA) under xramp

Have it as:

"XRamp Security Services, Inc.", is a successor to SecureTrust corporation, a wholly owned subsidiary of Trustwave Holdings, Inc. ("Trustwave").  Neither XRamp or Securetrust legally exist anymore.

Andrew, are you referring to the order as displayed within certificate manager?
Sorry, but that order isn't manual. It's automatically created based on the O= (if I remember correctly) or some other field.
Andrew, in comment 5 you said:

> All seems to be good technically

I assume you're saying:
- all information in this bug is correct
- you have tested the binary
- the binary works as desired
- we can go ahead and add the roots

Please speak up if I'm wrong.
I said "All seems to be good technically" which means yes to all 4 bullets.

What I was hoping in response to 3-31 09:54 was that the three Trustwave roots would be blocked underneath a "Trustwave" heading, much as all of Verisigns Class 1-n is blocked under "Verisign" within certificate manager.  In a quick look, it appears that all are blocked by the "O=", so if it cant be done - then "oh, well" - it is no show stopper.

This root was added to NSS for version 3.12 with a checkin noted in bug 425469.
Marking fixed.
Closed: 17 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12
You need to log in before you can comment on or make changes to this bug.