Add " Staat der Nederlanden Root CA - G2" root certificate to NSS

RESOLVED FIXED

Status

task
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: kwilson, Assigned: kaie)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: In NSS 3.12.6 and Firefox 3.6.2)

Attachments

(1 attachment)

1.45 KB, application/x-x509-ca-cert
Details
Posted file Root Cert
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Staat der Nederlanden:

Friendly name: Staat der Nederlanden Root CA - G2

Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=408102

SHA1 Fingerprint: 59:af:82:79:91:86:c7:b4:75:07:cb:cf:03:57:46:eb:04:dd:b7:16

Trust flags: web sites, code signing

Test Cert: https://www.pkioverheid.nl/fileadmin/PKI/PKI_certifcaten/staatdernederlandenorganisatieca-g2.crt

This CA has been assessed in accordance with the Mozilla project guidelines, and the root certificate has been approved for inclusion in bug #436056.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
Mark, Please see step #1 above.
I hereby confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached.

The OS we will use for testing is Microsoft Windows XP Professional SP3.  

Regards
Mark
It's been almost 2 months ago since I have confirmed that all the data in this bug is correct. 

What is the progress with regard to the inclusion of the Staat der Nederlanden Root CA - G2 in NSS? 

What is the timetable on:  
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Inclusion_Phase
https://wiki.mozilla.org/CA:How_to_apply#Timeline

Root inclusions/updates in NSS are grouped and done as a batch when there is
either a large enough set of changes or about every 3 months. The last batch
was done in early November, so it will likely be a couple of months before the next batch is done.

When the next batch of root inclusions/updates is worked on, a test build will
be provided and this bug will be updated to request that you test it. Since you
are cc'd on this bug, you will get notification via email when that happens.
Depends on: 542476
Do you have a test web site which requires your new cert?
Hi Kai,

With regard to a test website see this comment in bug 436056: https://bugzilla.mozilla.org/show_bug.cgi?id=436056#c20 

Up to this moment we still don't have a SSL cert on a (test)website which can be used for testing purposes. So please use one of our sub CAs (see below) as was agreed upon with Kathleen Wilson.

Domain sub CAs:
https://www.logius.nl/fileadmin/logius/product/pkioverheid/certificaten/staatdernederlandenorganisatieca-g2.crt 
https://www.logius.nl/fileadmin/logius/product/pkioverheid/certificaten/staatdernederlandenburgerca-g2.crt

or

CSP CAs:
https://www.logius.nl/fileadmin/logius/product/pkioverheid/certificaten/ESG_CA_-_G2.crt
https://www.logius.nl/fileadmin/logius/product/pkioverheid/certificaten/Getronics%20CSP%20Organisatie%20CA%20-%20G2.crt

To prevent misunderstandings GBO.Overheid is called Logius since January 11 this year: http://www.logius.nl/english/ Please change this in your administration. Many thanks. 

Regards,
Mark
Hi Mark. You say I need an intermediate (sub) CA for the test? That's fine.

But which http:// address should I open for testing?
Please find test builds here:
https://build.mozilla.org/tryserver-builds/kaie@kuix.de-test_192_542476/

Please note, the files in that directory will go away in around 12 days, so please act quickly, or download and keep them.

It's a test build of Firefox 3.6 which includes your root cert.
For testing on Windows you need -win32.zip, for Linux -linux.tar.bz2, for Mac get -macosx.dmg

Please test it, connect to a test site, make sure it works as you expect, and also verify that it has the correct trust flags you have asked for (certificate manager, CA tab, click cert, click "edit" to view the trust flags).

Please report whether it's OK.
Hi Kai,

We have tested the specific test build of Firefox 3.6. We have noticed that our Staat der Nederlanden Root CA - G2 was included. We have checked the SHA-1 fingerprint and the trust flags. Both are OK. Furthermore we didn't encounter any problems during our test. So everything appears to be in order.

I hereby confirm that it is OK to include our Staat der Nederlanden Root CA - G2 for the next release of the NSS root certificate store. 

Any indication as to when this will happen? 

Reagrds,
Mark
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.12.6 and Firefox 3.6.2
You need to log in before you can comment on or make changes to this bug.