Created attachment 442126 [details] Chambers of Commerce Root - 2008 This bug requests inclusion in the NSS root certificate store of the following certificates, owned by Camerfirma. Friendly name: Chambers of Commerce Root - 2008 Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339325 SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c Trust flags: Websites, Email, Code Signing Test URL: https://server1.camerfirma.com:8081/ Friendly name: Global Chambersign Root - 2008 Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339324 SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c Trust flags: Websites, Email, Code Signing Test URL: https://server2.camerfirma.com:8082/ This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion in bug #406968. The next steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below. 2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly. 3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED. 4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
Ramiro, Please see step #1 above.
Kathleenç I have confirmed the above information. Do you need anything else ? Regards
Thanks for confirming that the data in this bug is correct. Root inclusions are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months. At some point in the next 3 months a test build will be provided and this bug will be updated to request that you test it. Since you are cc'd on this bug, you will get notification via email when that happens.
Ramiro, both of the test websites listed above are currently failing for me with error: sec_error_ocsp_invalid_signing_cert Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP and resolve this ASAP. Please also add testing of your OCSP service using the Firefox browser with OCSP enforced to your standard testing procedures from now on so that it doesn't break again in the future.
Hi Kathleen our problem with the test sites is that the certificates are expired so we have to renew certificates, sorry for that. We will fix the problem as soon as posible, we are on hollyday period so we can take more time that usual. Regards
It might be also beneficial to understand how you came into the position to reuse serial numbers as per your own accounts in bug 582531.
It was just an error in the certification proces. We use to issue subca cartificates in a manual ceremony and a wrong configuraron file was uses. This Ca do not issue enduser certificates anymore We will replace valid end user certificates .
As per https://bugzilla.mozilla.org/show_bug.cgi?id=582531#c8 Camerfirma has made procedural changes to ensure that they don't make the mistake of reusing serial numbers again when issuing intermediate CAs.
The new test websites for these roots are as follows. Note that these websites are currently on servers that are used by Camerfirma developers for testing purposes, so it is possible that at times these may be temporarily offline. -- Chambers of Commerce Root – 2008 -- https://server1.camerfirma.com:8081 Policy OID in end-entity cert: 18.104.22.168.4.1.17322.214.171.124: (This is the OID for OV certs) https://www.camerfirma.com Policy OID in end-entity cert: 126.96.36.199.4.1.173188.8.131.52.1.2 (This is the EV Policy OID) I have successfully browsed to both of these websites in Firefox with OCSP enforced. The SSL certs fo both of these sites chain up to the intermediate CA “Camerfirma Corporate Server – 2009”. The AIA for both the end-entity certs and the intermediate cert has OCSP: URI: http://ocsp.camerfirma.com Note: The CA hierarchy for “Chambers of Commerce Root – 2008” is a little different than I described in https://bugzilla.mozilla.org/show_bug.cgi?id=406968#c92. Express Corporate Server and Corporate Server EV was in the old hierarchy. In the new, 2008, hierarchy the subCA "Corporate Server 2009" issues both OV and EV certificates with different Policy OID. -- Global Chambersign Root – 2008 -- https://server2.camerfirma.com:8082 Policy OID in end-entity cert: 184.108.40.206.4.1.173220.127.116.11.1.2 (This is the OID for OV certs) https://server3.camerfirma.com Policy OID in end-entity cert: 18.104.22.168.4.1.17322.214.171.124.1.2 (This is the EV Policy OID) I have successfully browsed to both of these websites in Firefox with OCSP enforced. The SSL certs chain up to “RACER – 2009”, which is signed by “AC Camerfirma – 2009”, which is signed by this root. The AIA for the end-entity and intermediate certs all have OCSP: URI: http://ocsp.camerfirma.com
Current test builds (Mozilla experimental) for various platforms can be found at http://firstname.lastname@example.org/ Please note the builds at above location will be automatically deleted after two weeks, so please make copies if you need them. Please test and confirm that your roots have been added correctly, with the correct trust flags (use certificate manager, find your cert, click "view" to see the trust flags). (Please note, if you have asked for enabling EV, that's not yet done, and will be a separate step.)
I have tested but https://server3.camerfirma.com and https://www.camerfirma.com that should be mark as EV do not show the green mark. Regards Ramiro
Ramiro, please read the last paragraph of comment 11.
OK, sorry for my confusion. I have update minefield this morning and suddenly roots Global Chambersign Root - 2008 Chambers of Commerce Root - 2008 have desapiered from the store any problem ? Regards Ramiro
I will look into your comment 14 shortly. So, I've tried to connect to https://www.camerfirma.com/ with the roots enabled. I get an error message. I think your server is not configured correctly. I think you must install the required intermediate certificates on your server. I found your server certificate points to http://www.camerfirma.com/certs/camerfirma_cserver-2009 I tried to fetch the intermediate cert from that location, but unfortunately, that URL is broken, it gives me a 404 not found error... Please fix your server cert configuration. Please fix your cert issue process. I guess you should not issue certs that point to invalid locations. Your server at https://server3.camerfirma.com/ works for me.
(In reply to comment #14) > I have update minefield this morning and suddenly roots > Global Chambersign Root - 2008 > Chambers of Commerce Root - 2008 > have desapiered from the store I can't confirm this. Do you still see it? Do you see it with "kai's test build" or with "general minefield nightly"?
Kai I already fixed the server (intermediate CA) and the link. It was an error issuing the test certificate in the AIA sice the name file extention in the URL is missed. I will issue a new test certificate, meanwhile I have published the file with no extention. I hope everything is ok now. Regards Ramiro
I made a new testbuild, now it includes the patch to enable roots for EV. http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e http://email@example.com/ I've learned that tryserver builds are automatically deleted quickly, after 4 days. I've mirrored the most important files here: http://kuix.de/mozilla/tryserver-roots-20101125/
(In reply to comment #17) > > I already fixed the server (intermediate CA) and the link. > It was an error issuing the test certificate in the AIA sice the name file > extention in the URL is missed. I will issue a new test certificate, meanwhile > I have published the file with no extention. I confirm, you have fixed https://www.camerfirma.com/ I can connect on initial attempt with a fresh profile. So, here is my request to you, according with first comment in this bug, section (2): Ramiro: Please confirm that your root certificate(s) are correctly added to the NSS root store. In particular, please make sure that the certificate have the correct trust flags. You can use Firefox preferences / advanced / encryption / certificates / edit-trust to look at the trust flags. Once you have confirmed, we are ready to add your certs to NSS. (There is still a problem regarding EV. But we must discuss remaining EV problems in bug 562399, not here).
Sorry again. I confirm that the roots certificates are ok and also the trust flags are ok. Thank you
Fixed by bug 613394