Closed Bug 424152 Opened 17 years ago Closed 16 years ago

Add thawte Primary Root CA to NSS


(NSS :: Libraries, enhancement)

Not set


(Not tracked)



(Reporter: hecker, Assigned: KaiE)




(1 file)

This bug requests inclusion in the NSS root certificate store of the following
root CA certificate, owned by thawte:

1) Friendly name: "thawte Primary Root CA"
   SHA-1 fingerprint:
   Trust flags: Web sites

The thawte Primary Root CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion per bug 407163.

The remaining steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
Blocks: 424154
Depends on: 425469
Dear Thawte representatives, you have not yet confirmed the information listed in this bug is correct.

I went ahead and included your certificate in a test build anyway.
Please read bug 425469 comment 3 to find the binary roots module for testing and follow Frank's requests given in this tracking bug.

Adding your roots to Mozilla/NSS is blocked pending your confirmation that everything is correct.

Please do not forget to verify the trust flags are correct.
I reviewed the information in this bug and it is correct. We are still waiting internally for answer on question 2.
We have tested with the test build, and chaining looks fine. When we use FF
to visit a site with an EV cert (, the server returns this
chain: EE->intermediate->cross cert. But FF shows the chain as
EE->intermediate->new root, which is the expected behavior.

However, we need all three trust flags set, but only "web sites" is set.
Correction - the site we tested with (among others) was, not
(In reply to comment #4)
> However, we need all three trust flags set, but only "web sites" is set.

My comments in bug 422918 apply here as well.

Should we go ahead and start by adding the root now, with trust flag SSL only?

We could fix the trust flags at a later time.
This root was added to NSS for version 3.12 with a checkin noted in bug 425469.
Marking fixed.
Closed: 16 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12
Target Milestone: 3.12 → 3.11.10
You need to log in before you can comment on or make changes to this bug.