Add thawte Primary Root CA to NSS



11 years ago
10 years ago


(Reporter: hecker, Assigned: kaie)


Dependency tree / graph

Firefox Tracking Flags

(Not tracked)



(1 attachment)



11 years ago
This bug requests inclusion in the NSS root certificate store of the following
root CA certificate, owned by thawte:

1) Friendly name: "thawte Primary Root CA"
   SHA-1 fingerprint:
   Trust flags: Web sites

The thawte Primary Root CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion per bug 407163.

The remaining steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.

Comment 1

11 years ago
Created attachment 310772 [details]
thawte Primary Root CA certificate


11 years ago
Blocks: 424154


11 years ago
Depends on: 425469

Comment 2

11 years ago
Dear Thawte representatives, you have not yet confirmed the information listed in this bug is correct.

I went ahead and included your certificate in a test build anyway.
Please read bug 425469 comment 3 to find the binary roots module for testing and follow Frank's requests given in this tracking bug.

Adding your roots to Mozilla/NSS is blocked pending your confirmation that everything is correct.

Please do not forget to verify the trust flags are correct.

Comment 3

11 years ago
I reviewed the information in this bug and it is correct. We are still waiting internally for answer on question 2.

Comment 4

11 years ago
We have tested with the test build, and chaining looks fine. When we use FF
to visit a site with an EV cert (, the server returns this
chain: EE->intermediate->cross cert. But FF shows the chain as
EE->intermediate->new root, which is the expected behavior.

However, we need all three trust flags set, but only "web sites" is set.

Comment 5

11 years ago
Correction - the site we tested with (among others) was, not

Comment 6

11 years ago
(In reply to comment #4)
> However, we need all three trust flags set, but only "web sites" is set.

My comments in bug 422918 apply here as well.


Comment 7

11 years ago
Should we go ahead and start by adding the root now, with trust flag SSL only?

We could fix the trust flags at a later time.

Comment 8

11 years ago
This root was added to NSS for version 3.12 with a checkin noted in bug 425469.
Marking fixed.
Last Resolved: 11 years ago
Resolution: --- → FIXED


10 years ago
Target Milestone: --- → 3.12


10 years ago
Target Milestone: 3.12 → 3.11.10
You need to log in before you can comment on or make changes to this bug.