The default bug view has changed. See this FAQ.

Add Camerfirma root certificates to NSS

RESOLVED FIXED

Status

NSS
CA Certificates
--
enhancement
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Kathleen Wilson, Assigned: kaie)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 442126 [details]
Chambers of Commerce Root - 2008

This bug requests inclusion in the NSS root certificate store of the following
certificates, owned by Camerfirma.

Friendly name: Chambers of Commerce Root - 2008
Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339325
SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c
Trust flags: Websites, Email, Code Signing
Test URL: https://server1.camerfirma.com:8081/

Friendly name: Global Chambersign Root - 2008
Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339324
SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c
Trust flags: Websites, Email, Code Signing
Test URL: https://server2.camerfirma.com:8082/

This CA has been assessed in accordance with the Mozilla project guidelines,
and the certificate approved for inclusion in bug #406968.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is
correct, and that the correct certificate(s) have been attached. They must also
specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new
certificate(s), and attaches nssckbi.dll to this bug. A representative of the
CA must download this, drop it into a copy of Firefox and/or Thunderbird on the
OS in question and confirm (by adding a comment here) that the certificate(s)
have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and
marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate. This process is mostly under the
control of the release drivers for those products.
(Reporter)

Comment 1

7 years ago
Created attachment 442127 [details]
Global Chambersign Root - 2008
(Reporter)

Updated

7 years ago
Blocks: 562399
(Reporter)

Comment 2

7 years ago
Ramiro, Please see step #1 above.

Comment 3

7 years ago
Kathleenç
I have confirmed the above information. Do you need anything else ?

Regards
(Reporter)

Comment 4

7 years ago
Thanks for confirming that the data in this bug is correct.

Root inclusions are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.

At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
(Assignee)

Updated

7 years ago
Depends on: 582575
(Reporter)

Comment 5

7 years ago
Ramiro, both of the test websites listed above are currently failing for me with error: sec_error_ocsp_invalid_signing_cert

Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP
and resolve this ASAP.
Please also add testing of your OCSP service using the Firefox browser with OCSP enforced to your standard testing procedures from now on so that it doesn't break again in the future.
(Reporter)

Updated

7 years ago
Depends on: 582531
(Assignee)

Updated

7 years ago
No longer depends on: 582575

Comment 6

7 years ago
Hi Kathleen

our problem with the test sites is that the certificates are expired so we have to renew certificates, sorry for that.

We will fix the problem as soon as posible, we are on hollyday period so we can take more time that usual.

Regards

Comment 7

7 years ago
It might be also beneficial to understand how you came into the position to reuse serial numbers as per your own accounts in bug 582531.

Comment 8

7 years ago
It was just an error in the  certification proces. 
We use to issue subca cartificates in a  manual ceremony and a wrong configuraron file was uses.

This Ca do not issue enduser certificates anymore

We will  replace valid end user certificates
.
(Reporter)

Comment 9

7 years ago
As per https://bugzilla.mozilla.org/show_bug.cgi?id=582531#c8 Camerfirma has made procedural changes to ensure that they don't make the mistake of reusing serial numbers again when issuing intermediate CAs.
(Reporter)

Comment 10

7 years ago
The new test websites for these roots are as follows. Note that these websites are currently on servers that are used by Camerfirma developers for testing purposes, so it is possible that at times these may be temporarily offline.

--  Chambers of Commerce Root – 2008 --

https://server1.camerfirma.com:8081    
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2:
(This is the OID for OV certs)

https://www.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2
(This is the EV Policy OID)

I have successfully browsed to both of these websites in Firefox with OCSP enforced. 
The SSL certs fo both of these sites chain up to the intermediate CA “Camerfirma Corporate Server – 2009”.
The AIA for both the end-entity certs and the intermediate cert has
OCSP: URI: http://ocsp.camerfirma.com

Note: The CA hierarchy for “Chambers of Commerce Root – 2008” is a little different than I described in 
https://bugzilla.mozilla.org/show_bug.cgi?id=406968#c92.
Express Corporate Server and Corporate Server EV was in the old hierarchy. In the new, 2008, hierarchy the subCA "Corporate Server 2009" issues both OV and EV certificates with different Policy OID. 

-- Global Chambersign Root – 2008  --

https://server2.camerfirma.com:8082 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2
(This is the OID for OV certs)

https://server3.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2
(This is the EV Policy OID)

I have successfully browsed to both of these websites in Firefox with OCSP enforced.
The SSL certs chain up to “RACER – 2009”, which is signed by “AC Camerfirma – 2009”, which is signed by this root.
The AIA for the end-entity and intermediate certs all have
OCSP: URI: http://ocsp.camerfirma.com
(Assignee)

Updated

6 years ago
Depends on: 613394
(Assignee)

Comment 11

6 years ago
Current test builds (Mozilla experimental) for various platforms can be found
at
http://stage.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-b725b0fd279e/

Please note the builds at above location will be automatically deleted after
two weeks, so please make copies if you need them.

Please test and confirm that your roots have been added correctly, with the
correct trust flags (use certificate manager, find your cert, click "view" to
see the trust flags).

(Please note, if you have asked for enabling EV, that's not yet done, and will be a separate step.)
I have tested but
 
https://server3.camerfirma.com and 
https://www.camerfirma.com 

that should be mark as EV do not show the green mark.
Regards
Ramiro
(Assignee)

Comment 13

6 years ago
Ramiro, please read the last paragraph of comment 11.
OK, sorry for my confusion.

I have update minefield this morning and suddenly roots 
Global Chambersign Root - 2008
Chambers of Commerce Root - 2008 
have desapiered from the store

any problem ?

Regards
Ramiro
(Assignee)

Comment 15

6 years ago
I will look into your comment 14 shortly.


So, I've tried to connect to https://www.camerfirma.com/
with the roots enabled.

I get an error message.
I think your server is not configured correctly.
I think you must install the required intermediate certificates on your server.

I found your server certificate points to
http://www.camerfirma.com/certs/camerfirma_cserver-2009

I tried to fetch the intermediate cert from that location,
but unfortunately,
that URL is broken, it gives me a 404 not found error...

Please fix your server cert configuration.
Please fix your cert issue process.
I guess you should not issue certs that point to invalid locations.


Your server at https://server3.camerfirma.com/
works for me.
(Assignee)

Comment 16

6 years ago
(In reply to comment #14)
> I have update minefield this morning and suddenly roots 
> Global Chambersign Root - 2008
> Chambers of Commerce Root - 2008 
> have desapiered from the store

I can't confirm this.

Do you still see it?

Do you see it with "kai's test build"
or with "general minefield nightly"?
Kai

I already fixed the server (intermediate CA) and the link. 
It was an error issuing the test certificate in the AIA sice the name file extention in the URL is missed. I will issue a new test certificate, meanwhile I have published the file with no extention.

I hope everything is ok now.

Regards
Ramiro
(Assignee)

Comment 18

6 years ago
I made a new testbuild, now it includes the patch to enable roots for EV.

http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/

I've learned that tryserver builds are automatically deleted quickly, after 4 days.
I've mirrored the most important files here:
http://kuix.de/mozilla/tryserver-roots-20101125/
(Assignee)

Comment 19

6 years ago
(In reply to comment #17)
> 
> I already fixed the server (intermediate CA) and the link. 
> It was an error issuing the test certificate in the AIA sice the name file
> extention in the URL is missed. I will issue a new test certificate, meanwhile
> I have published the file with no extention.


I confirm, you have fixed 
https://www.camerfirma.com/

I can connect on initial attempt with a fresh profile.


So, here is my request to you, according with first comment in this bug, section (2):


Ramiro:

Please confirm that your root certificate(s) are correctly added to the NSS root store.
In particular, please make sure that the certificate have the correct trust flags. You can use Firefox preferences / advanced / encryption / certificates / edit-trust to look at the trust flags.


Once you have confirmed, we are ready to add your certs to NSS.


(There is still a problem regarding EV. But we must discuss remaining EV problems in bug 562399, not here).
Sorry again.

I confirm that the roots certificates are ok and also the trust flags are ok.

Thank you
(Assignee)

Comment 21

6 years ago
Fixed by bug 613394
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.