Last Comment Bug 562395 - Add Camerfirma root certificates to NSS
: Add Camerfirma root certificates to NSS
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: CA Certificates (show other bugs)
: trunk
: All All
-- enhancement (vote)
: ---
Assigned To: Kai Engert (:kaie)
:
:
Mentors:
Depends on: 582531 613394
Blocks: 406968 562399
  Show dependency treegraph
 
Reported: 2010-04-28 11:23 PDT by Kathleen Wilson
Modified: 2010-12-02 15:29 PST (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Chambers of Commerce Root - 2008 (1.83 KB, application/octet-stream)
2010-04-28 11:23 PDT, Kathleen Wilson
no flags Details
Global Chambersign Root - 2008 (1.83 KB, application/octet-stream)
2010-04-28 11:24 PDT, Kathleen Wilson
no flags Details

Description User image Kathleen Wilson 2010-04-28 11:23:31 PDT
Created attachment 442126 [details]
Chambers of Commerce Root - 2008

This bug requests inclusion in the NSS root certificate store of the following
certificates, owned by Camerfirma.

Friendly name: Chambers of Commerce Root - 2008
Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339325
SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c
Trust flags: Websites, Email, Code Signing
Test URL: https://server1.camerfirma.com:8081/

Friendly name: Global Chambersign Root - 2008
Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=339324
SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c
Trust flags: Websites, Email, Code Signing
Test URL: https://server2.camerfirma.com:8082/

This CA has been assessed in accordance with the Mozilla project guidelines,
and the certificate approved for inclusion in bug #406968.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is
correct, and that the correct certificate(s) have been attached. They must also
specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new
certificate(s), and attaches nssckbi.dll to this bug. A representative of the
CA must download this, drop it into a copy of Firefox and/or Thunderbird on the
OS in question and confirm (by adding a comment here) that the certificate(s)
have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and
marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate. This process is mostly under the
control of the release drivers for those products.
Comment 1 User image Kathleen Wilson 2010-04-28 11:24:57 PDT
Created attachment 442127 [details]
Global Chambersign Root - 2008
Comment 2 User image Kathleen Wilson 2010-04-28 11:41:33 PDT
Ramiro, Please see step #1 above.
Comment 3 User image Ramiro Muñoz Muñoz 2010-04-29 04:16:02 PDT
Kathleenç
I have confirmed the above information. Do you need anything else ?

Regards
Comment 4 User image Kathleen Wilson 2010-04-29 13:35:24 PDT
Thanks for confirming that the data in this bug is correct.

Root inclusions are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.

At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
Comment 5 User image Kathleen Wilson 2010-07-28 13:42:18 PDT
Ramiro, both of the test websites listed above are currently failing for me with error: sec_error_ocsp_invalid_signing_cert

Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP
and resolve this ASAP.
Please also add testing of your OCSP service using the Firefox browser with OCSP enforced to your standard testing procedures from now on so that it doesn't break again in the future.
Comment 6 User image Ramiro Muñoz Muñoz 2010-07-29 03:52:54 PDT
Hi Kathleen

our problem with the test sites is that the certificates are expired so we have to renew certificates, sorry for that.

We will fix the problem as soon as posible, we are on hollyday period so we can take more time that usual.

Regards
Comment 7 User image Eddy Nigg (StartCom) 2010-07-29 11:18:20 PDT
It might be also beneficial to understand how you came into the position to reuse serial numbers as per your own accounts in bug 582531.
Comment 8 User image Ramiro Muñoz Muñoz 2010-07-29 11:41:07 PDT
It was just an error in the  certification proces. 
We use to issue subca cartificates in a  manual ceremony and a wrong configuraron file was uses.

This Ca do not issue enduser certificates anymore

We will  replace valid end user certificates
.
Comment 9 User image Kathleen Wilson 2010-09-20 11:13:27 PDT
As per https://bugzilla.mozilla.org/show_bug.cgi?id=582531#c8 Camerfirma has made procedural changes to ensure that they don't make the mistake of reusing serial numbers again when issuing intermediate CAs.
Comment 10 User image Kathleen Wilson 2010-11-04 13:37:37 PDT
The new test websites for these roots are as follows. Note that these websites are currently on servers that are used by Camerfirma developers for testing purposes, so it is possible that at times these may be temporarily offline.

--  Chambers of Commerce Root – 2008 --

https://server1.camerfirma.com:8081    
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2:
(This is the OID for OV certs)

https://www.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2
(This is the EV Policy OID)

I have successfully browsed to both of these websites in Firefox with OCSP enforced. 
The SSL certs fo both of these sites chain up to the intermediate CA “Camerfirma Corporate Server – 2009”.
The AIA for both the end-entity certs and the intermediate cert has
OCSP: URI: http://ocsp.camerfirma.com

Note: The CA hierarchy for “Chambers of Commerce Root – 2008” is a little different than I described in 
https://bugzilla.mozilla.org/show_bug.cgi?id=406968#c92.
Express Corporate Server and Corporate Server EV was in the old hierarchy. In the new, 2008, hierarchy the subCA "Corporate Server 2009" issues both OV and EV certificates with different Policy OID. 

-- Global Chambersign Root – 2008  --

https://server2.camerfirma.com:8082 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2
(This is the OID for OV certs)

https://server3.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2
(This is the EV Policy OID)

I have successfully browsed to both of these websites in Firefox with OCSP enforced.
The SSL certs chain up to “RACER – 2009”, which is signed by “AC Camerfirma – 2009”, which is signed by this root.
The AIA for the end-entity and intermediate certs all have
OCSP: URI: http://ocsp.camerfirma.com
Comment 11 User image Kai Engert (:kaie) 2010-11-19 10:59:33 PST
Current test builds (Mozilla experimental) for various platforms can be found
at
http://stage.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-b725b0fd279e/

Please note the builds at above location will be automatically deleted after
two weeks, so please make copies if you need them.

Please test and confirm that your roots have been added correctly, with the
correct trust flags (use certificate manager, find your cert, click "view" to
see the trust flags).

(Please note, if you have asked for enabling EV, that's not yet done, and will be a separate step.)
Comment 12 User image Ramiro Muñoz Muñoz 2010-11-20 03:56:02 PST
I have tested but
 
https://server3.camerfirma.com and 
https://www.camerfirma.com 

that should be mark as EV do not show the green mark.
Regards
Ramiro
Comment 13 User image Kai Engert (:kaie) 2010-11-20 04:07:38 PST
Ramiro, please read the last paragraph of comment 11.
Comment 14 User image Ramiro Muñoz Muñoz 2010-11-22 02:00:31 PST
OK, sorry for my confusion.

I have update minefield this morning and suddenly roots 
Global Chambersign Root - 2008
Chambers of Commerce Root - 2008 
have desapiered from the store

any problem ?

Regards
Ramiro
Comment 15 User image Kai Engert (:kaie) 2010-11-25 13:02:41 PST
I will look into your comment 14 shortly.


So, I've tried to connect to https://www.camerfirma.com/
with the roots enabled.

I get an error message.
I think your server is not configured correctly.
I think you must install the required intermediate certificates on your server.

I found your server certificate points to
http://www.camerfirma.com/certs/camerfirma_cserver-2009

I tried to fetch the intermediate cert from that location,
but unfortunately,
that URL is broken, it gives me a 404 not found error...

Please fix your server cert configuration.
Please fix your cert issue process.
I guess you should not issue certs that point to invalid locations.


Your server at https://server3.camerfirma.com/
works for me.
Comment 16 User image Kai Engert (:kaie) 2010-11-25 13:28:34 PST
(In reply to comment #14)
> I have update minefield this morning and suddenly roots 
> Global Chambersign Root - 2008
> Chambers of Commerce Root - 2008 
> have desapiered from the store

I can't confirm this.

Do you still see it?

Do you see it with "kai's test build"
or with "general minefield nightly"?
Comment 17 User image Ramiro Muñoz Muñoz 2010-11-26 01:47:04 PST
Kai

I already fixed the server (intermediate CA) and the link. 
It was an error issuing the test certificate in the AIA sice the name file extention in the URL is missed. I will issue a new test certificate, meanwhile I have published the file with no extention.

I hope everything is ok now.

Regards
Ramiro
Comment 18 User image Kai Engert (:kaie) 2010-11-26 02:12:11 PST
I made a new testbuild, now it includes the patch to enable roots for EV.

http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/

I've learned that tryserver builds are automatically deleted quickly, after 4 days.
I've mirrored the most important files here:
http://kuix.de/mozilla/tryserver-roots-20101125/
Comment 19 User image Kai Engert (:kaie) 2010-11-26 02:29:35 PST
(In reply to comment #17)
> 
> I already fixed the server (intermediate CA) and the link. 
> It was an error issuing the test certificate in the AIA sice the name file
> extention in the URL is missed. I will issue a new test certificate, meanwhile
> I have published the file with no extention.


I confirm, you have fixed 
https://www.camerfirma.com/

I can connect on initial attempt with a fresh profile.


So, here is my request to you, according with first comment in this bug, section (2):


Ramiro:

Please confirm that your root certificate(s) are correctly added to the NSS root store.
In particular, please make sure that the certificate have the correct trust flags. You can use Firefox preferences / advanced / encryption / certificates / edit-trust to look at the trust flags.


Once you have confirmed, we are ready to add your certs to NSS.


(There is still a problem regarding EV. But we must discuss remaining EV problems in bug 562399, not here).
Comment 20 User image Ramiro Muñoz Muñoz 2010-11-26 03:12:26 PST
Sorry again.

I confirm that the roots certificates are ok and also the trust flags are ok.

Thank you
Comment 21 User image Kai Engert (:kaie) 2010-12-02 15:29:06 PST
Fixed by bug 613394

Note You need to log in before you can comment on or make changes to this bug.