Closed Bug 593067 Opened 11 years ago Closed 10 years ago
Enable TC Trust
Center Universal CA III root certificate for EV in PSM
Per bug #436467 the request from TC TrustCenter has been approved to enable its "TC TrustCenter Universal CA III" root certificate for EV use. Please make the corresponding changes to PSM. The relevant information is as follows. Friendly name: TC TrustCenter Universal CA III SHA1 Fingerprint: 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87 EV policy OID: 1.2.2188.8.131.52.1.1.4 Test URL: https://testserver.universal-iii.trustcenter.de
Rolf, Please confirm that the above information is correct.
Confirmed - the information above is correct.
Rolf, can you please check that all intermediate certificates are installed correctly on your test site? I think they are missing.
I've manually installed the intermediate cert from http://www.trustcenter.de/certservices/cacerts/tc_class3_L1_CA_IX.crt I get a valid "domain validated" connection, but not a "EV validated" connection. In the past this commonly meant there were OCSP server problems. Are you sure your OCSP server is ready for testing?
You've requested OID 1.2.2184.108.40.206.1.1.4 but the cert at the test site uses OID 1.2.2220.127.116.11.1.1.3 Rolf ?
More problems. In addition to the EV OID mismatch, I found another mistake. This bug requests to enable "CA III" for EV, but the cert at your test site chains to "CA I".
You are right. Obviuously the configuration of https://testserver.universal-iii.trustcenter.de is incorrect. We are working on that.
I made a new testbuild, now it includes the patch to enable roots for EV. http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e http://email@example.com/ I've learned that tryserver builds are automatically deleted quickly, after 4 days. I've mirrored the most important files here: http://kuix.de/mozilla/tryserver-roots-20101125/
We have corrected the configuration of https://testserver.universal-iii.trustcenter.de Please go ahead with testing.
The server does not send intermediate CA certs.
(In reply to comment #10) > The server does not send intermediate CA certs. Looks like I'm wrong. I was confused by some other failure.
I have a positive test result with your site, I get the green EV identity indicator. Rolf, please try a test build from comment 8 and confirm that you are satisfied with the results.
We've checked that build (see comment 8) with https://testserver.universal-iii.trustcenter.de the EV indication looks good. However, when looking into the root certificate store (Tools | Options | Advanced | View Certificate | Authorities) the TC Universal III Root has been verified for the following uses "SSL Certificate Authority" whereas the TC Universal I Root has been enabled for the following uses "Email signer Certificate", "SSL Certificate Authority" and "Status Responder Certificate". The trust settings are identical. What's the reason for that? Note: TC TrustCenter Class 2 CA is also verified for SSL Certificate Authority only, but has the same KeyUsage extension as TC Universal III.
(In reply to comment #13) > > What's the reason for that? I haven't attempted to debug, but I used certificate viewer to compare properties. "Root 1" includes cert key usage "Signing", but "Root 3" does not. This might explain it?
I don't think so, because TC TrustCenter Class 2 CA also has this KeyUsage but is only verified for SSL Certificate Authority. Correction: TC TrustCenter Class 2 CA is also verified for SSL Certificate Authority only, but has the same KeyUsage extension as TC Universal I (not TC Universal III as I stated above). Critical: Signing, Certificate Signer, CRL Signer.
Sorry, finding the response for your answer will require that an expert traces the internals of NSS. If you are worried and think this is an issue, you must wait until we get to it (no schedule) (or you could hire someone to do it for us sooner). You have the option to get your roots added anyway, by confirming in bug 593063 and this bug 593067 that you are satisfied with the test build. If not, you'll have to wait.
The issue existed before that and is not limited to the TC Universal III root. No need to wait with the EV root. --> Adding the TC Universal III root was successful for us.
fixed by bug 614852 (for mozilla-central and upcoming ff 4) ff 3.5.x and ff 3.6.x not yet done
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Verified fixed on Firefox 4.0b12pre 20110218. When will this be backported?
Status: RESOLVED → VERIFIED
(In reply to comment #19) > Verified fixed on Firefox 4.0b12pre 20110218. When will this be backported? The backporting is done in bug 614852 (single bug to do work for multiple ca's in a single step)
You need to log in before you can comment on or make changes to this bug.