Add WISeKey root CA certificate to NSS

RESOLVED FIXED in 3.12.4

Status

NSS
CA Certificates Code
--
enhancement
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Frank Hecker, Assigned: kaie)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
This bug requests inclusion in the NSS root certificate store of the following
root CA certificate, owned by WISeKey SA:

Friendly name: "OISTE WISeKey Global Root GA CA"
SHA-1 fingerprint:
59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9
Trust flags: Email, Web sites
URL: http://public.wisekey.com/crt/owgrgaca.crt

The certificate(s) themselves will be attached momentarily, as downloaded from the URLs above and verified using the stated fingerprints.

The OISTE WISeKey Global Root GA CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion per bug 371362.

The remaining steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is
correct, and that the correct certificate(s) have been attached.

2) A Mozilla representative provides software and instructions for testing that the certificate(s) have been correctly included. A representative of the CA must download the software, follow the instructions, and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that SSL-enabled websites and other functions work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and
marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate(s). This process is mostly under
the control of the release drivers for those products.
(Reporter)

Comment 1

9 years ago
Created attachment 350552 [details]
OISTE WISeKey Global Root GA CA certificate

Attached the WISeKey root CA certificate

Comment 2

9 years ago
In accordance with 1) I confirm on behalf of WISeKey that the data in the bug is correct, and the attached certificate is correct. Kevin Blackman, WISeKey SA
Component: Libraries → CA Certificates
QA Contact: libraries → root-certs
Version: unspecified → trunk
(Assignee)

Comment 3

9 years ago
Could you please provide a test URL, https address pointing to a server that uses a cert issued by this CA? Thanks.

Comment 4

9 years ago
(In reply to comment #3)
> Could you please provide a test URL, https address pointing to a server that
> uses a cert issued by this CA? Thanks.

As requested:-
https://secure.certifyid.com/certifyid/accounts/
(Assignee)

Comment 5

9 years ago
A test firefox build is available here:
Please verify it contains your root CA cert with the correct trust flags.
You should be able to connect to your test server.

https://build.mozilla.org/tryserver-builds/2009-03-11_10:52-kaie@kuix.de-kaie-evroots-0903/

Please give feedback whether it looks correct.
Thanks.

Comment 6

9 years ago
(In reply to comment #5)
> Please give feedback whether it looks correct.
> Thanks.

It works properly, and has the correct test flags. However the Mozilla test build reports "Verified by Wisekey", whilst its the "OISTE WISeKey Root"... OISTE is the foundation that owns the private key, and Wisekey is the operating company. Can the Friendly Name be "OISTE WISeKey", and thus "verified by OISTE WISeKey" ?
If yes then please let it be so. If not then we accept it as is.

Comment 7

9 years ago
Correction: It has the correct TRUST flags.
(Assignee)

Comment 8

9 years ago
The friendly name we used is "OISTE WISeKey Global Root GA CA".
This is not what you see displayed.

I believe we display the O (organization) field from the root's subject name when you see "Wisekey" displayed.

Comment 9

9 years ago
Additionally it displays the intermediate CAs organization name, not the root. We've been discussing to have that changed though, albeit no decision has been taken as far as I know. Frank, is this something we should do?

Comment 10

9 years ago
OK, that answers my question. Everything A-ok on this side.
(In reply to comment #9)
> Additionally it displays the intermediate CAs organization name, not the root.
> We've been discussing to have that changed though, albeit no decision has been
> taken as far as I know. 

Is there a bug about that?  If so, what number?
Now there is: bug 483031
(Assignee)

Updated

9 years ago
Depends on: 487718
(Assignee)

Comment 13

9 years ago
fixed with the patch in bug 487718
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Target Milestone: --- → 3.12.4
You need to log in before you can comment on or make changes to this bug.