Closed Bug 661681 Opened 13 years ago Closed 12 years ago

Enable A-Trust-nQual-03 root certificate for EV in PSM

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla11

People

(Reporter: kwilson, Assigned: KaiE)

References

Details

Attachments

(1 file)

Per bug #530797 the request from A-Trust has been approved to enable its A-Trust-nQual-03 root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows.

Friendly name: A-Trust-nQual-03
SHA1 Fingerprint: D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
EV policy OID: 1.2.40.0.17.1.22 
Test URL: https://test1.a-trust.at/
Christoph, Please confirm that the above information is correct.

Also, please perform the testing described on the following wiki page, and post
a comment in this bug when the testing has been successfully completed.

https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
The self signed A-Trust-nQual-03 only issues intermediate CA Certificates, the EV end user certificates are issued by the intermediate CA: a-sign-SSL-EV-03

Friendly name: a-sign-SSL-EV-03
SHA1 Fingerprint: FD:65:2B:F7:C2:3B:F6:91:17:F6:81:7E:95:84:7B:CF:15:51:75:77
EV policy OID: 1.2.40.0.17.1.22 
Test URL: https://test1.a-trust.at/
Since we store the root (not intermediate) cert information in NSS, we also use the root cert information (friendly name) to enable EV in PSM. 

Please confirm that the root cert info is as follows.
Friendly name: A-Trust-nQual-03
SHA1 Fingerprint: D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
EV policy OID: 1.2.40.0.17.1.22 
Test URL: https://test1.a-trust.at/

Also, please perform the testing described on the following wiki page, and post
a comment in this bug when the testing has been successfully completed.
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Subject:
    CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Issuer:
    CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Serial Number: 93214 (0x16c1e)
Issuer DER Base64:
MIGNMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hl
cmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYD
VQQLDBBBLVRydXN0LW5RdWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAz
Serial DER Base64:
AWwe
Fingerprint (MD5):
    49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
Fingerprint (SHA1):
    D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
I'm running a test build which attempts to enable your cert for EV.
It does not work, I only get the basic DV status.

I would like to ask A-Trust to perform your own testing, see comment 3 for the link to more information.

The information I've given to you in comment 4 should enable you to follow the instructions easily.
A mistake that many CAs run into, is an OCSP responder certificate that isn't according to RFCs.
So, I debugged what's wrong with your environment, and I stopped at the first issue:

Your issueing (intermediate) certificate does not include any policy OID.

It must either list your EV policy OID, or the special "any policy" OID.
We corrected the certificate, the anyPolicy identifier is now included in our intermediate certificate.

We are still not able to get a positive EV - authentication using the test website (https://test1.a-trust.at).

Thank you for your help,
Regards Christoph
Quoting from:
  http://www.cabforum.org/Guidelines_v1_3.pdf
  Guidelines For The Issuance And Management Of Extended Validation Certificates
  Version 1.3

(I believe this is the most recent version.)


Problem 1
=========

(2) Subordinate CA Certificate
(A) certificatePolicies

You have fixed that, after I made you aware. Fixed.


Problem 2
=========

Referring to
  Appendix B - Extensions for EV Certificates Intended for use with SSL/TLS (Normative)
  (3) Subscriber Certificate
  (B) cRLDistributionPoint
  "If present, it MUST contain the HTTP URL of the CA‟s CRL service."

The subscriber certificate used by
  https://test1.a-trust.at/
contains a cRLDistributionPoint extension, but it contains an LDAP URL, not HTTP URL.

I believe you violate the EV guidelines.


Problem 3
=========

Referring to
  Appendix B - Extensions for EV Certificates Intended for use with SSL/TLS (Normative)
  (2) Subordinate CA Certificate
  (B) cRLDistributionPoint
  "This extension MUST be present ...
   It MUST contain the HTTP URL of the CA‟s CRL service."

The subordinate/intermediate CA certificate used by
  https://test1.a-trust.at/
contains a cRLDistributionPoint extension, but it contains an LDAP URL, not HTTP URL.

I believe you violate the EV guidelines.


Problem 4
=========

The subordinate CA cert does not contain an AIA/OCSP http URL.
It's absent.

The EV guidelines allow that to be absent.

Unfortunately that's a problem for Firefox, because we don't support automatic CRL download (yet), we require OCSP in subordinates for EV to work.
(In reply to comment #10)
> 
> Problem 4
> =========
> 
> The subordinate CA cert does not contain an AIA/OCSP http URL.
> It's absent.
> 
> The EV guidelines allow that to be absent.
> 
> Unfortunately that's a problem for Firefox, because we don't support
> automatic CRL download (yet), we require OCSP in subordinates for EV to work.


It is the responsibility of the CA to demonstrate (using the provided test) that their EV SSL certificate hierarchy works as expected in Firefox. For the time being, this means that the intermediate certificate needs to have the OCSP URI in the AIA.

Item 14 (fifth bullet) of https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate
Hello!

We modified our certificates and were able to successfully test the EV certificate on https://test1.a-trust.at (Browser bar went green).

Regards,
Christoph
Attached patch Patch v1Splinter Review
This is the patch that was included in the test build and was confirmed to work by the CA.

Requesting code review.
Attachment #547092 - Flags: review?(honzab.moz)
(In reply to comment #12)
> 
> We modified our certificates and were able to successfully test the EV
> certificate on https://test1.a-trust.at (Browser bar went green).

Ok. I was able to repeat the test and get a green result, too.
Comment on attachment 547092 [details] [diff] [review]
Patch v1

r=honzab
Attachment #547092 - Flags: review?(honzab.moz) → review+
I apologize for the late landing, I overlook that this has been ready for quite a while.

https://hg.mozilla.org/integration/mozilla-inbound/rev/123160236bf1
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
https://hg.mozilla.org/mozilla-central/rev/123160236bf1
Assignee: nobody → kaie
Target Milestone: --- → mozilla11
You need to log in before you can comment on or make changes to this bug.