Closed
Bug 593067
Opened 15 years ago
Closed 14 years ago
Enable TC TrustCenter Universal CA III root certificate for EV in PSM
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
VERIFIED
FIXED
People
(Reporter: kathleen.a.wilson, Unassigned)
References
Details
Per bug #436467 the request from TC TrustCenter has been approved to enable
its "TC TrustCenter Universal CA III" root certificate for EV use. Please make the corresponding changes to PSM.
The relevant information is as follows.
Friendly name: TC TrustCenter Universal CA III
SHA1 Fingerprint: 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
EV policy OID: 1.2.276.0.44.1.1.1.4
Test URL: https://testserver.universal-iii.trustcenter.de
|
Reporter | |
Comment 1•15 years ago
|
||
Rolf, Please confirm that the above information is correct.
|
||
Comment 2•15 years ago
|
||
Confirmed - the information above is correct.
|
||
Comment 3•14 years ago
|
||
Rolf, can you please check that all intermediate certificates are installed correctly on your test site?
I think they are missing.
|
|
||
Comment 4•14 years ago
|
||
I've manually installed the intermediate cert from
http://www.trustcenter.de/certservices/cacerts/tc_class3_L1_CA_IX.crt
I get a valid "domain validated" connection,
but not a "EV validated" connection.
In the past this commonly meant there were OCSP server problems.
Are you sure your OCSP server is ready for testing?
|
|
||
Comment 5•14 years ago
|
||
You've requested OID 1.2.276.0.44.1.1.1.4
but the cert at the test site uses OID 1.2.276.0.44.1.1.1.3
Rolf ?
|
|
||
Comment 6•14 years ago
|
||
More problems.
In addition to the EV OID mismatch, I found another mistake.
This bug requests to enable "CA III" for EV,
but the cert at your test site chains to "CA I".
|
|
||
Comment 7•14 years ago
|
||
You are right. Obviuously the configuration of https://testserver.universal-iii.trustcenter.de is incorrect.
We are working on that.
|
|
||
Comment 8•14 years ago
|
||
I made a new testbuild, now it includes the patch to enable roots for EV.
http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/
I've learned that tryserver builds are automatically deleted quickly, after 4 days.
I've mirrored the most important files here:
http://kuix.de/mozilla/tryserver-roots-20101125/
|
|
||
Comment 9•14 years ago
|
||
We have corrected the configuration of
https://testserver.universal-iii.trustcenter.de
Please go ahead with testing.
|
|
||
Comment 10•14 years ago
|
||
The server does not send intermediate CA certs.
|
|
||
Comment 11•14 years ago
|
||
(In reply to comment #10)
> The server does not send intermediate CA certs.
Looks like I'm wrong.
I was confused by some other failure.
|
|
||
Comment 12•14 years ago
|
||
I have a positive test result with your site, I get the green EV identity indicator.
Rolf, please try a test build from comment 8 and confirm that you are satisfied with the results.
|
|
||
Comment 13•14 years ago
|
||
We've checked that build (see comment 8) with https://testserver.universal-iii.trustcenter.de
the EV indication looks good.
However, when looking into the root certificate store (Tools | Options | Advanced | View Certificate | Authorities) the TC Universal III Root has been verified for the following uses "SSL Certificate Authority" whereas the TC Universal I Root has been enabled for the following uses "Email signer Certificate", "SSL Certificate Authority" and "Status Responder Certificate".
The trust settings are identical.
What's the reason for that?
Note: TC TrustCenter Class 2 CA is also verified for SSL Certificate Authority only, but has the same KeyUsage extension as TC Universal III.
|
|
||
Comment 14•14 years ago
|
||
(In reply to comment #13)
>
> What's the reason for that?
I haven't attempted to debug, but I used certificate viewer to compare properties.
"Root 1" includes cert key usage "Signing", but "Root 3" does not.
This might explain it?
|
|
||
Comment 15•14 years ago
|
||
I don't think so, because TC TrustCenter Class 2 CA also has this KeyUsage but is only verified for SSL Certificate Authority.
Correction: TC TrustCenter Class 2 CA is also verified for SSL Certificate Authority only, but has the same KeyUsage extension as TC Universal I
(not TC Universal III as I stated above).
Critical: Signing, Certificate Signer, CRL Signer.
|
|
||
Comment 16•14 years ago
|
||
Sorry, finding the response for your answer will require that an expert traces the internals of NSS.
If you are worried and think this is an issue, you must wait until we get to it (no schedule) (or you could hire someone to do it for us sooner).
You have the option to get your roots added anyway, by confirming in bug 593063 and this bug 593067 that you are satisfied with the test build.
If not, you'll have to wait.
|
|
||
Comment 17•14 years ago
|
||
The issue existed before that and is not limited to the TC Universal III root.
No need to wait with the EV root.
-->
Adding the TC Universal III root was successful for us.
|
|
||
Comment 18•14 years ago
|
||
fixed by bug 614852 (for mozilla-central and upcoming ff 4)
ff 3.5.x and ff 3.6.x not yet done
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 19•14 years ago
|
||
Verified fixed on Firefox 4.0b12pre 20110218. When will this be backported?
Status: RESOLVED → VERIFIED
|
|
||
Comment 20•14 years ago
|
||
(In reply to comment #19)
> Verified fixed on Firefox 4.0b12pre 20110218. When will this be backported?
The backporting is done in bug 614852
(single bug to do work for multiple ca's in a single step)
You need to log in
before you can comment on or make changes to this bug.
Description
•