Closed Bug 919480 Opened 11 years ago Closed 10 years ago

Remove Expired Firmaprofesional Root Certificate from NSS

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: frank.lichtenheld, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 (Beta/Release)
Build ID: 20130807033622

Steps to reproduce:

Checked the expiry dates of CAs shipped by Mozilla


Actual results:

There is one Root CA "Certificate "Firmaprofesional Root CA"" which expires in about a month.

It seems to this CA was updated in #601718 but under a different name "Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"" (which is also the CN of the older CA).


Expected results:

The obsolete CA should probably not be shipped anymore.
Kathleen, I also got report about this expired root through another channel.

Can we remove it in the next batch?
Status: UNCONFIRMED → NEW
Ever confirmed: true
#
# Certificate "Firmaprofesional Root CA"
#
# Issuer: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
# Serial Number: 1 (0x1)
# Subject: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
# Not Valid Before: Wed Oct 24 22:00:00 2001
# Not Valid After : Thu Oct 24 22:00:00 2013
# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
Yes, I will add this bug to my list for the next batch of root changes. I'll send you the list in email.

CC'ing Chema on this bug, because he is the point-of-contact for Firmaprofesional.
Summary: Obsolete Root CA shipped for Firmaprofesional → Remove Expired Firmaprofesional Root Certificate from NSS
Depends on: 957300
Chema,

The code patch for this root cert removal is in bug #957300.

The test build is available at
  http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-e9ed86288188/

I have tested it, but you are also welcome to do so as follows...

Download a binary for your preferred operating system, you probably want one of the following files:
  try-linux/firefox-....en-US.linux-i686.tar.bz2
  try-linux64/firefox-....en-US.linux-x86_64.tar.bz2
  try-macosx64/firefox-....en-US.mac.dmg
  try-win32/firefox-....en-US.win32.zip

Refer to https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion

Be sure to use a fresh profile.
http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
Thanks, Kathleen.

We will test is ASAP.

On the other hand, has something to do the EV check activation (bug #794036) with the bug #957300]?

Thanks in advance,

(In reply to Kathleen Wilson from comment #4)
> Chema,
> 
> The code patch for this root cert removal is in bug #957300.
> 
> The test build is available at
>  
> http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-
> e9ed86288188/
> 
> I have tested it, but you are also welcome to do so as follows...
> 
> Download a binary for your preferred operating system, you probably want one
> of the following files:
>   try-linux/firefox-....en-US.linux-i686.tar.bz2
>   try-linux64/firefox-....en-US.linux-x86_64.tar.bz2
>   try-macosx64/firefox-....en-US.mac.dmg
>   try-win32/firefox-....en-US.win32.zip
> 
> Refer to https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion
> 
> Be sure to use a fresh profile.
> http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-
> firefox-profiles
We already have tested it and the old CA root is not included, as expected, so it seems everything is all-right.
(In reply to Chema López from comment #5)
> On the other hand, has something to do the EV check activation (bug #794036)
> with the bug #957300]?

I'm hoping to get to that soon, and then I'll update that bug.

Thanks,
Kathleen
(In reply to Chema López from comment #6)
> We already have tested it and the old CA root is not included, as expected,
> so it seems everything is all-right.

Thanks for testing.
We are targeting Firefox 29 for this change.
https://wiki.mozilla.org/RapidRelease/Calendar
done as part of bug 957300
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.