Enable TC TrustCenter Universal CA III root certificate for EV in PSM

VERIFIED FIXED

Status

()

--
enhancement
VERIFIED FIXED
8 years ago
8 years ago

People

(Reporter: kwilson, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
Per bug #436467 the request from TC TrustCenter has been approved to enable
its "TC TrustCenter Universal CA III" root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows.

Friendly name: TC TrustCenter Universal CA III

SHA1 Fingerprint: 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87

EV policy OID: 1.2.276.0.44.1.1.1.4

Test URL: https://testserver.universal-iii.trustcenter.de
(Reporter)

Comment 1

8 years ago
Rolf, Please confirm that the above information is correct.

Comment 2

8 years ago
Confirmed - the information above is correct.

Updated

8 years ago
Depends on: 614852

Comment 3

8 years ago
Rolf, can you please check that all intermediate certificates are installed correctly on your test site?

I think they are missing.

Comment 4

8 years ago
I've manually installed the intermediate cert from
http://www.trustcenter.de/certservices/cacerts/tc_class3_L1_CA_IX.crt

I get a valid "domain validated" connection,
but not a "EV validated" connection.

In the past this commonly meant there were OCSP server problems.
Are you sure your OCSP server is ready for testing?

Comment 5

8 years ago
You've requested OID 1.2.276.0.44.1.1.1.4

but the cert at the test site uses OID 1.2.276.0.44.1.1.1.3

Rolf ?

Comment 6

8 years ago
More problems.
In addition to the EV OID mismatch, I found another mistake.

This bug requests to enable "CA III" for EV,
but the cert at your test site chains to "CA I".

Comment 7

8 years ago
You are right. Obviuously the configuration of https://testserver.universal-iii.trustcenter.de is incorrect.
We are working on that.

Comment 8

8 years ago
I made a new testbuild, now it includes the patch to enable roots for EV.

http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/

I've learned that tryserver builds are automatically deleted quickly, after 4 days.
I've mirrored the most important files here:
http://kuix.de/mozilla/tryserver-roots-20101125/

Comment 9

8 years ago
We have corrected the configuration of 
https://testserver.universal-iii.trustcenter.de

Please go ahead with testing.

Comment 10

8 years ago
The server does not send intermediate CA certs.

Comment 11

8 years ago
(In reply to comment #10)
> The server does not send intermediate CA certs.

Looks like I'm wrong.
I was confused by some other failure.

Comment 12

8 years ago
I have a positive test result with your site, I get the green EV identity indicator.

Rolf, please try a test build from comment 8 and confirm that you are satisfied with the results.

Comment 13

8 years ago
We've checked that build (see comment 8) with https://testserver.universal-iii.trustcenter.de

the EV indication looks good.

However, when looking into the root certificate store (Tools | Options | Advanced | View Certificate | Authorities) the TC Universal III Root has been verified for the following uses "SSL Certificate Authority" whereas the TC Universal I Root has been enabled for the following uses "Email signer Certificate", "SSL Certificate Authority" and "Status Responder Certificate".
The trust settings are identical. 

What's the reason for that?

Note: TC TrustCenter Class 2 CA is also verified for SSL Certificate Authority only, but has the same KeyUsage extension as TC Universal III.

Comment 14

8 years ago
(In reply to comment #13)
> 
> What's the reason for that?

I haven't attempted to debug, but I used certificate viewer to compare properties.

"Root 1" includes cert key usage "Signing", but "Root 3" does not.
This might explain it?

Comment 15

8 years ago
I don't think so, because TC TrustCenter Class 2 CA also has this KeyUsage but is only verified for SSL Certificate Authority.

Correction: TC TrustCenter Class 2 CA is also verified for SSL Certificate Authority only, but has the same KeyUsage extension as TC Universal I
(not TC Universal III as I stated above).
Critical: Signing, Certificate Signer, CRL Signer.

Comment 16

8 years ago
Sorry, finding the response for your answer will require that an expert traces the internals of NSS.

If you are worried and think this is an issue, you must wait until we get to it (no schedule) (or you could hire someone to do it for us sooner).

You have the option to get your roots added anyway, by confirming in bug 593063 and this bug 593067 that you are satisfied with the test build.

If not, you'll have to wait.

Comment 17

8 years ago
The issue existed before that and is not limited to the TC Universal III root.
No need to wait with the EV root.

-->
Adding the TC Universal III root was successful for us.

Comment 18

8 years ago
fixed by bug 614852 (for mozilla-central and upcoming ff 4)

ff 3.5.x and ff 3.6.x not yet done
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Verified fixed on Firefox 4.0b12pre 20110218.  When will this be backported?
Status: RESOLVED → VERIFIED

Comment 20

8 years ago
(In reply to comment #19)
> Verified fixed on Firefox 4.0b12pre 20110218.  When will this be backported?

The backporting is done in bug 614852
(single bug to do work for multiple ca's in a single step)
You need to log in before you can comment on or make changes to this bug.