Add CERTUM's SHA2 root certificate

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
RESOLVED FIXED
3 years ago
4 months ago

People

(Reporter: Michal Proszkiewicz, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Included in NSS 3.23, and Firefox 46. EV enabled in Firefox 48.)

Attachments

(8 attachments)

(Reporter)

Description

3 years ago
Created attachment 8410206 [details]
root certificate

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

Steps to reproduce:

Go to https://valid-certum-ctncav2.certificates.certum.pl/



Actual results:

Certificate is not trusted and not marked as EV


Expected results:

Certificate should be trusted and marked as EV.

We would like to enable all three bits: SSL, S/MIME, Code Signing
(Reporter)

Comment 1

3 years ago
Useful links below.

Sample SSL EV ertificates (valid, revoked, expired):
https://valid-certum-ctncav2.certificates.certum.pl/
https://revoked-certum-ctncav2.certificates.certum.pl/
https://expired-certum-ctncav2.certificates.certum.pl/

Root certificate can be downloaded from:
https://repository.certum.pl/ctnca2.cer
(Assignee)

Updated

3 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

3 years ago
When I try to browse to https://www.certum.pl/CPS and https://repository.certum.pl/ctnca2.cer with OCSP hard-fail enabled, I get: 
Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)

Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP for instructions on testing with OCSP hard-fail enabled, and resolve this OCSP issue.
(Assignee)

Comment 3

3 years ago
Created attachment 8422719 [details]
Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
(Assignee)

Updated

3 years ago
Whiteboard: EV - information incomplete
(Reporter)

Comment 4

3 years ago
(In reply to Kathleen Wilson from comment #3)
> Created attachment 8422719 [details]
> Initial CA Information Document
> 
> The attached document summarizes the information that has been verified.
> 
> The items highlighted in yellow indicate where further information or
> clarification is needed. Please review the full document for accuracy and
> completeness, and provide the necessary information in this bug.

Could you please send us Initial CA Information Document in some editable form (doc or docx)?
(Reporter)

Comment 5

3 years ago
I have problems with performing EV testing. Could you please point me to someone who can provide me pp output for our root certificate?
(Assignee)

Comment 6

3 years ago
Created attachment 8441768 [details]
test_ev_roots.txt
(Reporter)

Comment 7

3 years ago
Created attachment 8495929 [details]
Information gathering - filled document
(Reporter)

Comment 8

3 years ago
Created attachment 8495931 [details]
EV test success - screenshot
(Reporter)

Comment 9

3 years ago
I've attached filled document. Answers, filled gaps and changes are highlighted in yellow.
(Assignee)

Comment 10

3 years ago
I'm having difficulty with the document repository...

In Firefox, browse to http://www.certum.eu/
Click on "Repository" at bottom of page.
It goes here: http://www.certum.eu/certum/313016.xml
Click on "Certificate policy version 3.3"
Forbidden error: You don't have permission to access /upload_module/wysiwyg/Certum_CP_v3_3.pdf on this server.

Similar problems with the other links -- either I get that error, or it just ends up freezing.

On the other hand, most of the links on this page work: 
http://www.certum.pl/repository
redirects to http://www.certum.eu/certum/179898.xml

Except for "Certification practice statement version 3.4 Appendix 3: Guidelines for the issuance and management of Extended Validation SSL certificate (PDF 429 KB)"
gives me an error.

Is there a new EV CPS document?
(Assignee)

Comment 11

3 years ago
(In reply to Kathleen Wilson from comment #10)
> I'm having difficulty with the document repository...
> 
> In Firefox, browse to http://www.certum.eu/
> Click on "Repository" at bottom of page.
> It goes here: http://www.certum.eu/certum/313016.xml
> Click on "Certificate policy version 3.3"
> Forbidden error: You don't have permission to access
> /upload_module/wysiwyg/Certum_CP_v3_3.pdf on this server.


https://support.mozilla.org/en-US/kb/use-adobe-reader-plugin-view-or-download-pdf-files
Adobe does not yet maintain a browser plugin for viewing PDF files in Firefox on Mac OS X; instead, you can use the built-in PDF Viewer. 

Sigh.
(Assignee)

Comment 12

3 years ago
I've reviewed your response (Comment #7) and the current CPS and CP documents, and I am confused about the following.

1) There appear to be indications all throughout the CPS that there can be externally-operated subordinate CAs and external RAs. So, maybe your responses were in regards to the current CA hierarchy and the current RA situation, but the CPS does appear to allow for certificate issuance by external entities. So, the CPS needs to address how the Baseline Requirements are met (see BR sections 9.7, 14.2.4, 17, and 17.5).

2) I'm confused about Level 1 (testing), Certum Level I CA, and Certum Class I CA.
Are those for test certificates? 
Or are they for SSL certificates?
(Reporter)

Comment 13

3 years ago
I missed your comment hence the late answer.

1) I'll look into that today and address it properly.

2) Certum Level I CA and Class I CA are for test certificates that can be also SSL certificates (we currently offer S/MIME and SSL DV test certificates). But those certificates are issued regarding all the rules the only difference is that validity period i shorter (30-90 days).

Furthermore:
- Certum Level I CA - this subCA is used for our customers (it is under Certum CA root certificate)
- Certum Class I CA - this subCA is being used internally only for our purposes
(Reporter)

Comment 14

3 years ago
(In reply to Kathleen Wilson from comment #10)
> 
> Is there a new EV CPS document?

No.

We didn't see the point to keep it up to date when it was changing so we resign from additional EV CPS document.

Instead of additional document we put refereneces to EV Guidelines in version 3.7 of our CPS in chapters: 3.1.2., 3.2.2., 4.1.1., 7.1., 7.1.2., Appendix 5
(Assignee)

Comment 15

3 years ago
This root certificate has a 21-byte serial number (due to the leading 0 byte to indicate that it is a
positive value). Bug filed regarding NSS handling of a cert with a 21-byte serial number: https://bugzilla.mozilla.org/show_bug.cgi?id=1139205
RFC 5280 says that implementations must be able to handle values up to 20 octets
(Assignee)

Comment 16

3 years ago
Created attachment 8572292 [details]
999378-CAInformation.pdf

The attached document shows the information that has been verified, and where further information or clarification is needed. Please review the entire document for accuracy, and update this bug to provide corrections and the requested information.
(Assignee)

Comment 17

3 years ago
(In reply to Kathleen Wilson from comment #15)
> This root certificate has a 21-byte serial number (due to the leading 0 byte
> to indicate that it is a
> positive value). Bug filed regarding NSS handling of a cert with a 21-byte
> serial number: https://bugzilla.mozilla.org/show_bug.cgi?id=1139205
> RFC 5280 says that implementations must be able to handle values up to 20
> octets

I asked the NSS team about this today, and the result of the discussion was that NSS is implemented to handle up to 20 byte serial numbers (as per RFC 5280). So, the root certificate needs to be regenerated.

Please regenerate the "Certum Trusted Network CA 2" root certificate with a serial number that is less than 20 bytes and that has a not-before date slightly newer than the original certificate (so if both the original and new certificates happen to be imported, NSS will choose the new certificate that it can properly handle).
Created attachment 8614648 [details]
ctnca2.pem

The new regenerated CTNCA2 Root.
(In reply to Kathleen Wilson from comment #17)
> (In reply to Kathleen Wilson from comment #15)
> > This root certificate has a 21-byte serial number (due to the leading 0 byte
> > to indicate that it is a
> > positive value). Bug filed regarding NSS handling of a cert with a 21-byte
> > serial number: https://bugzilla.mozilla.org/show_bug.cgi?id=1139205
> > RFC 5280 says that implementations must be able to handle values up to 20
> > octets
> 
> I asked the NSS team about this today, and the result of the discussion was
> that NSS is implemented to handle up to 20 byte serial numbers (as per RFC
> 5280). So, the root certificate needs to be regenerated.
> 
> Please regenerate the "Certum Trusted Network CA 2" root certificate with a
> serial number that is less than 20 bytes and that has a not-before date
> slightly newer than the original certificate (so if both the original and
> new certificates happen to be imported, NSS will choose the new certificate
> that it can properly handle).

Please find attached the new CTNCA2 Root.
(Assignee)

Comment 20

2 years ago
Thank you for regenerating the root certificate.

Please carefully review the document attached in Comment #16. In the document search for "NEED" to see where clarification is requested, and add a comment to this bug to provide the requested information.
(In reply to Kathleen Wilson from comment #16)
> Created attachment 8572292 [details]
> 999378-CAInformation.pdf
> 
> The attached document shows the information that has been verified, and
> where further information or clarification is needed. Please review the
> entire document for accuracy, and update this bug to provide corrections and
> the requested information.

Thank you.

In response to Mozilla's list of Recommended Practices I kindly inform you that the new version of CP and CPS has been published:

CPS v3.9:
http://www.certum.pl/upload_module/wysiwyg/certum/cert_doc/cps/CCP-DK02-ZK02_Certification_Practice_Statement_of_CERTUM_Certification_Services_v3_9.pdf

CP v3.4
http://www.certum.pl/upload_module/wysiwyg/certum/cert_doc/pc_nuc/CCP-DK02-ZK01_Certification_Policy_of_CERTUM_Certification_Services_v3_4_1.pdf


Regarding to the status of requests:

NEED CLARIFICATION: * DNS names go in SAN -- In CPS
> CERTUM response: Corrected. As we meet the BR requirements I have added suitable statement to the Table 7.1.

NEED CLARIFICATION: Are test SSL certs allowed? What about domain control validation? Where is this documented?
> CERTUM response: Corrected. As we published the v3.5 version of CP you may find that CERTUM verifies all data provided by subscriber (including the meaning of all fields in certificate). However, the word ”most”drews attention to different types of certificates and various method of verification rather than what kind of information is verified and what is not. CERTUM validates domain name control and the email adress in any case.

NEED CLARIFICATION: It looks like externally-operated subordinate CAs are allowed. Is that correct? CPS section 1.3.1: Only two authorities can issue certificates to other certification authorities: Certum Level I CA (test certification authority) and Certum Global Services CA (commercial certification authority).
> CERTUM response: Corrected. I have supplemented the section 1.3.1.2 CPS by information on  subordinated CAs that are never operated by third parties.  The subordinate CAs are always operated by CERTUM which operating the root CA.

NEED CLARIFICATION: Has this root been involved in cross-signing? If yes, with which roots?
Certum Trusted Network CA 2 will be crossed with Certum CA.  Similarly as the prevoius Root CA (Certum Trusted Network CA).

NEED CLARIFICATION: It looks like external RAs are not allowed to do the validation of the email address or domain names to be included in the certificates. Is that correct?
> CERTUM response: Yes. It is correct. External RAs (called Registration Points) are not allowed to validate certificates’ DN. This means that only the Primary Registration Point have exclusive right and technical capabilities to verify subscriber’s right to use the domain name and the email.

NEED CLARIFICATION: CP section 2.6: "Certificates issued by Certum Code Signing CA provide a high level of confidence the identity of the subscriber, but the usage of the certificates is limited to code signing only. Detailed information on identity verification requirements are described in at http://www.certum.pl."
Where is this "Detailed information on identity verification requirements are described in at http://www.certum.pl."?

> CERTUM response: Corrected. As we published the new version of CP (now v3.5) you may find that CERTUM verifies all data provided by subscriber. Please find detailed authentication procedure on: https://www.certum.eu/certum/cert,offer_en_standard_code_signing.xml and https://www.certum.eu/certum/cert,offer_microsoft_code_signing.xml

NEED CLARIFICATION: Where is it documented that multi-factor authentication is required for all accounts capable of directly causing certificate issuance, as per Baseline Requirements section 16.5?
> CERTUM response: Corrected. I have supplemented the section 4.3.1 CPS by information on the necessity of multi-factor authentication within operational activities of the Primary Registration Point (including requests to CA).
(Assignee)

Comment 22

2 years ago
Created attachment 8644683 [details]
999378-CAInformation-Complete.pdf
(Assignee)

Comment 23

2 years ago
I will try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - information incomplete → EV - Ready for Public Discussion
(Assignee)

Comment 24

2 years ago
I am now opening the first public discussion period for this request from Certum to include the “Certum Trusted Network CA 2” root certificate, turn on all three trust bits, and enable EV treatment.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called “Certum Root Renewal Request”.

Please actively review, respond, and contribute to the discussion.

A representative of Certum must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
(Assignee)

Comment 25

2 years ago
The public comment period for this request is now over.

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical]
I am not aware of instances where Unizeto Certum has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy]
Unizeto Certum appears to provide a service relevant to Mozilla users. Certum is an organizational unit of Unizeto Technologies SA, providing certification services related to electronic signatures. It is the oldest public, commercial certification authority in Poland; operating on a global scale - serving customers in over 50 countries worldwide.
Certum already has a root cert included in NSS. This is the next generation root.

The request is to include the “Certum Trusted Network CA 2” root certificate, turn on the Websites and Email trust bits, and enable EV treatment.

Root Certificate Name: Certum Trusted Network CA 2
O From Issuer Field: Unizeto Technologies S.A.
Trust Bits: Email; Websites
EV Policy OID(s): 1.2.616.1.113527.2.5.1.1
Root Certificate Download URL: https://bugzilla.mozilla.org/attachment.cgi?id=8614648

Certificate Summary: This is the next generation of the “Certum Trusted Network CA” root cert that was included via bug #532377.

* Documents are provided in Russian and English. 

Document Repository: 	http://www.certum.eu/certum/179898.xml
CP: http://www.certum.eu/upload_module/wysiwyg/certum/cert_doc/pc_nuc/CCP-DK02-ZK01_Certification_Policy_of_CERTUM_Certification_Services_v3_4_1.pdf
CPS: http://www.certum.eu/upload_module/wysiwyg/certum/eu/documents/CCP-DK02-ZK02_Certification_Practice_Statement_v3_9.pdf

Qualified certs:
http://www.certum.eu/upload_module/wysiwyg/CCK-DK02-ZK01_CPv3_8.pdf
http://www.certum.eu/servlet/pl.id.sys.servlets.FileDownloadServlet?filename=/upload_module/wysiwyg/certum/cert_doc/cps/CCP-DK02-ZK02_CSP_v3_9.pdf

Inclusion Policy Section 18 [Certificate Hierarchy]
CPS section 1.3.1: authorities subordinate to Certum Trusted Network CA:
- Certum Class 1 CA, -- TEST CERTS
- Certum Class 1 CA SHA2, -- TEST CERTS
- Certum Code Signing CA,
- Certum Code Signing CA SHA2,
- Certum Domain Validation CA SHA2,
- Certum Organization Validation CA SHA2,
- Certum Extended Validation CA,
- Certum Extended Validation CA SHA2,
- Certum Global Services CA SHA2.
DV certificates are issued for two separate groups. As a free test certificates for shorter period of validity and the standard certificates with a full usage. Certificates of the first group are issued by intermediate authorities Certum Level I CA, Certum Class 1 CA and Certum Class 1 CA SHA2. The second group of standard certificates are issued by Certum Level II CA and Certum Domain Validation CA SHA2 authorities.

CPS section 1.3.1.2: Only two authorities can issue certificates to other certification authorities: Certum Level I CA (test certification authority) and Certum Global Services CA (commercial certification authority). However, certificates issued to other CAs are subject to the exclusive control of CERTUM. Also, issuing of end user certificates by these authorities is exclusively under control of the CERTUM.

Cross Signing: Certum Trusted Network CA 2 will be crossed with Certum CA. Similarly as the previous Root CA (Certum Trusted Network CA).


Inclusion Policy Section 7 [Validation]. 
Unizeto Certum appears to meet the minimum requirements for subscriber verification, as follows:

* SSL Verification Procedures: According to CPS section 3.2.6, for all SSL certificates authentication of the Applicant’s ownership or control of all requested Domain Name(s) is done using one of the following methods:
- by uploading file with the specified name to the root directory of the domain;
- by uploading specific metadata to the main page on the domain;
- by uploading specific metadata to the DNS text record of the domain;
- by direct confirmation with the contact listed by the Domain Name Registrar in the WHOIS record or provided to CERTUM by the Domain Name Registrar directly;
- by successfully replying to a challenge response email sent to one or more of the following email addresses: owebmaster@domain.com, postmaster@domain, admin@domain.com, administrator@domain.com, hostmaster@domain.com.
CERTUM only uses the WHOIS records linked to on the IANA root database and the ICANN approved registrars.

According to CP section 2.1: The verification for test certificates covers verification of the domain name as described in the CPS.

* Email Verification Procedures: According to CPS section 3.2.2 the registration authority verifies the email address to be included in the certificate. The aim of this action is to receive by the subscriber an authentication data sent to the address which has previous placed in the certification request.

* Code Signing Subscriber Verification Procedure: Not applicable. Mozilla is no longer enabling the Code Signing trust bit, because it is expected to be removed in 2016.

Certificate Revocation
CRL URLs: http://crl.certum.pl/evca2.crl
http://crl.certum.pl/ctnca2.crl
OCSP URLs: http://evca2.ocsp.certum.pl
http://subca.ocsp-certum.com
OCSP response is valid for 7 days.

Inclusion Policy Sections 11-14 [Audit]
Annual audits are performed by Ernst & Young, according to the WebTrust criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1901&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1903&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=1902&file=pdf

Based on this assessment I intend to approve this request from Unizeto Certum to include the “Certum Trusted Network CA 2” root certificate, turn on the websites and email trust bits, and enable EV treatment.
Whiteboard: EV - In public discussion → EV - Pending Approval
(Assignee)

Comment 26

2 years ago
As per the summary in Comment #25, and on behalf of Mozilla I approve this request from Unizeto Certum to include the following root certificate:

** "Certum Trusted Network CA 2" (websites, email), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
(Assignee)

Updated

2 years ago
Depends on: 1236962
(Assignee)

Updated

2 years ago
Depends on: 1236964
(Assignee)

Comment 27

2 years ago
I have filed bug #1236962 against NSS and bug #1236964 against PSM for the actual changes.
(Assignee)

Comment 28

2 years ago
We recently added two tests that CAs must perform and resolve errors for...

Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the root certificate. Then click on the 'Search' button. Then click on the 'Run cablint' link. All errors must be resolved/fixed. Warnings should also be either resolved or explained.

Output for Test1:
no errors (certificate not found via CT)

Test 2) Browse to http://cert-checker.allizom.org:3001/ and enter the test website and click on the 'Browse' button to provide the PEM file for the root certificate. Then click on 'run certlint'. All errors must be resolved/fixed. Warnings should also be either resolved or explained. 

Output for Test 2:
Using certificate chain from 'https://valid-certum-ctncav2.certificates.certum.pl/'

Using certificate from local file 'CertumTrustedNetworkCA2.cert'

    /C=PL/O=Unizeto Technologies S.A./OU=CERTUM/L=Szczecin/ST=Zachodniopomorskie/street=Kr\xC3\xB3lowej Korony Polskiej 21/postalCode=70-486/1.3.6.1.4.1.311.60.2.1.3=PL/1.3.6.1.4.1.311.60.2.1.1=Szczecin/1.3.6.1.4.1.311.60.2.1.2=Zachodniopomorskie/serialNumber=0000233499/businessCategory=Private Organization/CN=www.valid-certum-ctncav2.certificates.certum.pl
        Warning
            Certificate Policies should not contain notice references
        Informational
            EV certificate identified
            TLS Server certificate identified

    /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Extended Validation CA
        Error
            Generalized Time before 2050
            Generalized Time before 2050
        Informational
            CA certificate identified
        Warning
            CA certificates should include Digital Signature to allow signing OCSP responses

    /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
        Error
            Generalized Time before 2050
            Generalized Time before 2050
~~

Please add a comment in this bug when the errors have been resolved.
(Assignee)

Comment 29

2 years ago
(In reply to Kathleen Wilson from comment #28)

> Test 2) Browse to http://cert-checker.allizom.org:3001/ and enter the test

Test 2 moved to https://cert-checker.allizom.org/
(Assignee)

Comment 30

2 years ago
(In reply to Kathleen Wilson from comment #28)
> We recently added two tests that CAs must perform and resolve errors for...
> ...
>         Error
>             Generalized Time before 2050
>             Generalized Time before 2050
>         Informational
>             CA certificate identified
>         Warning
>             CA certificates should include Digital Signature to allow
> signing OCSP responses
> 
>     /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification
> Authority/CN=Certum Trusted Network CA 2
>         Error
>             Generalized Time before 2050
>             Generalized Time before 2050
> ~~
> 
> Please add a comment in this bug when the errors have been resolved.


Apparently these certificates aren't conforming to section 4.1.2.5 of rfc 5280 regarding when to use UTCTime and when to use GeneralizedTime - dates before 2050 must be encoded as UTCTime. This root certificate was created in 2011, and the intermediate certificate was created in 2013.

mozilla::pkix does not enforce this rule about when Generalized Time may be used. If we decide to add code to enforce this rule, it will be for certificates created after a certain date (definitely later than 2013).

Therefore, we may proceed with this root inclusion request as stated in Comment #26.
(Assignee)

Updated

a year ago
Whiteboard: EV - Approved - awaiting NSS and PSM changes → Included in NSS 3.23, pending EV treatment
(Assignee)

Comment 31

a year ago
(In reply to Kathleen Wilson from comment #25)

On April 1, 2016, the polish District Court registered Unizeto under the new name: Asseco Data System S.A. 
So, Certum is an organizational unit of Asseco Data Systems S.A.

Updated URLs:

CA Document Repository: http://www.certum.eu/certum/cert,expertise_knowledge_main.xml
CP: http://www.certum.eu/certum/cert,expertise_certyfication_policy.xml
CPS: http://www.certum.eu/certum/cert,expertise_practice_statement.xml
Qualified certs:
http://www.certum.eu/servlet/pl.id.sys.servlets.FileDownloadServlet?filename=/upload_module/wysiwyg/certum/cert_doc/cp/CCK-DK02-ZK01_CP_v3_9.pdf
http://www.certum.eu/servlet/pl.id.sys.servlets.FileDownloadServlet?filename=/upload_module/wysiwyg/certum/cert_doc/cps/CCK-DK02-ZK02_CPS_v4.0.pdf
Because of the change of the company name we need to regenerate the "Certum Trusted Network CA 2" with Asseco Data Systems S.A. string in Organisation feild instead of Unizeto Technologies.
(Assignee)

Comment 33

a year ago
Please update the EV SSL certificate for https://valid-certum-ctncav2.certificates.certum.pl/
It expired.


(In reply to Arkadiusz Ławniczak from comment #32)
> Because of the change of the company name we need to regenerate the "Certum
> Trusted Network CA 2" with Asseco Data Systems S.A. string in Organisation
> feild instead of Unizeto Technologies.

https://wiki.mozilla.org/CA:How_to_apply#Changing_Verified_By_Information
"In regards to re-branding...
    - The text that is displayed within the blue or green bar in the address field of the Firefox browser is obtained directly from the end-entity SSL certificate.
    - The "Verified by" popup information is also obtained directly from the end-entity SSL certificate (Issuer Organization or Issuer Common Name).
Therefore a CA may change the information that is displayed in the "Verified by" popup, by creating a new intermediate issuing certificate with the desired information in the Subject Organization or Common Name."

To included an updated root certificate will require going through Mozilla's root inclusion process again. This process begins with the CA filing a Bugzilla Bug Report as described here:
https://wiki.mozilla.org/CA:How_to_apply#Include_a_Renewed_root
(Assignee)

Comment 34

a year ago
(In reply to Kathleen Wilson from comment #33)
> Please update the EV SSL certificate for
> https://valid-certum-ctncav2.certificates.certum.pl/
> It expired.
> 

I am still getting an error when trying to browse to the test website:
valid-certum-ctncav2.certificates.certum.pl uses an invalid security certificate. The certificate expired on April 10, 2016 at 2:36 AM. The current time is July 12, 2016 at 12:19 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE 

Please resolve asap, and update this bug when it is fixed.
Please find attached the valid (slightly different from previous) url that is backed with the new Certum Trusted Network CA 2 root (like the previous were too).

https://valid-certum-ctnca2.certificates.certum.pl/
https://revoked-certum-ctnca2.certificates.certum.pl/
https://expired-certum-ctnca2.certificates.certum.pl/
(Assignee)

Comment 36

a year ago
(In reply to Arkadiusz Ławniczak from comment #35)
> Please find attached the valid (slightly different from previous) url that
> is backed with the new Certum Trusted Network CA 2 root (like the previous
> were too).
> 
> https://valid-certum-ctnca2.certificates.certum.pl/
> https://revoked-certum-ctnca2.certificates.certum.pl/
> https://expired-certum-ctnca2.certificates.certum.pl/

Thanks!

The valid and expired cites work as expected for me, but the revoked site is still showing valid EV treatment.
(Assignee)

Comment 37

a year ago
> but the revoked site is still showing valid EV treatment.

It is looking like the cert in https://revoked-certum-ctnca2.certificates.certum.pl/ has not actually been revoked. 
Would you please look into this and update this bug when this has been resolved?
Now, it should work properly. PLease find:
https://revoked-certum-ctnca2.certificates.certum.pl/
(Assignee)

Comment 39

a year ago
(In reply to Arkadiusz Ławniczak from comment #38)
> Now, it should work properly. PLease find:
> https://revoked-certum-ctnca2.certificates.certum.pl/

Thanks! It's working as expected now.
(Assignee)

Updated

a year ago
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Whiteboard: Included in NSS 3.23, pending EV treatment → Included in NSS 3.23, and Firefox 46. EV enabled in Firefox 48.

Updated

4 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.