541499 - Add Hongkong Post Root CA 1 root certificate to NSS

Status: RESOLVED FIXED

(NSS :: CA Certificates Code, task)

Description

[Kathleen Wilson]

Attachment: Hongkong Post Root Cert

This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Hongkong Post.  

Friendly name: Hongkong Post Root CA 1

Certificate location:
http://www.hongkongpost.gov.hk/product/download/root/img/smartid_rt.cacert

SHA1 Fingerprint:
D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58

Trust flags: websites

Test URL: https://www.hongkongpost.gov.hk/

This CA has been assessed in accordance with the Mozilla project guidelines, and the root certificate has been approved for inclusion in bug #408949.

The next steps are as follows:  

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.  

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.  

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.  

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.

Comment 1

[Kathleen Wilson]

Man Ho, Please see step #1 above.  Also, I think a new test URL may be needed -- one that chains up to the new sub-CA.

Comment 2

[Man Ho]

Kathleen, thank you. I confirm that all information in this bug is correct. Hongkong Post CA would like all OSs that are currently supported by Firefox 2.0 or above to use to perform the verification.

Here is the new test URL: https://testingwww1.hongkongpost.gov.hk/ssl/

Comment 3

[Kai Engert (:KaiE:)]

Please find test builds here:
https://build.mozilla.org/tryserver-builds/kaie@kuix.de-test_192_542476/

Please note, the files in that directory will go away in around 12 days, so please act quickly, or download and keep them.

It's a test build of Firefox 3.6 which includes your root cert.
For testing on Windows you need -win32.zip, for Linux -linux.tar.bz2, for Mac get -macosx.dmg

Please test it, connect to a test site, make sure it works as you expect, and also verify that it has the correct trust flags you have asked for (certificate manager, CA tab, click cert, click "edit" to view the trust flags).

Please report whether it's OK.

Comment 4

[Man Ho]

Many thanks. We have tested the build in various Windows OS, Linux (CentOS 5.3) and Mac OS X 10.5.8. I can confirm that it works well as expected and the trust flags are correct.

Comment 5

[Man Ho]

May I ask a question. When and what version of Firefox should I expect this enhancement be included in Firefox?

Comment 6

[Kathleen Wilson]

I just downloaded Firefox version 3.6.2, and this root certificate is listed as a Builtin Object Token. My understanding is that this change is also in version 3.5.9.