Instructions for CAs

This page provides instructions to CAs for specific parts of Mozilla's application process for root inclusion and update requests. See the Application Process Overview for the list of the steps in the application process.

Create Root Inclusion/Update Request

An official representative of the CA may submit their request using Mozilla's Bugzilla issue tracking system:

1. If you don't already have a Bugzilla account, create an account for yourself.
   • Note that you must supply an email address when creating an account; this address will be made public, and will be used for communications, related to your request.
   • Be sure to use an email address that you regularly monitor, because all communication regarding the request will be sent to this email address.
2. Create a new bug report corresponding to your request.
   • https://bugzilla.mozilla.org/enter_bug.cgi
   • Product: CA Program
   • Component: CA Certificate Root Program
   • Type: task
   • Severity: enhancement
   • Summary: Add [your CA's name] root certificate(s)
   • Do NOT select the check boxes to restrict visibility, such as making it confidential or marking it as a security bug. All information that is submitted for root inclusion and update requests must be publicly available.
3. Provide all of the required information.
   • If your CA does not yet have access to the CCADB, then you may request access here: https://ccadb.org/cas/request-access
   • Create a Root Inclusion Case in the CCADB - Example
   • IMPORTANT: Whenever you update data in your Root Inclusion Case in the CCADB, be sure to add a comment to your Bugzilla Bug to let folks know about the new/updated information.
4. Watch for email from bugzilla-daemon@mozilla.org containing additional requests for information.
   • It is recommended that you add bugzilla-daemon@mozilla.org to your email contacts so that notifications of updates to your bug don't get filtered into your SPAM folder.

IMPORTANT: Note that all information submitted to our Bugzilla system is publicly available to anyone on the Internet. Please do not include proprietary or confidential information in your request. If you wish to discuss confidential or sensitive matters, please do so via private email to certificates@mozilla.org. Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available.

Test

Here are the steps that a representative of the CA should take when asked to test that the certificate has been correctly imported and that websites work correctly.

1. Click on the test build link that is provided, choose the download file for the operating system you are using. You only need to test on one operating system, because the root store changes will be the same across platforms.
   • For example, to test on Mac:
     • Find the line with OSX that contains "OS X..." and a green B.
     • Click the green B, and the bottom part of the page will change to show more details of that build.
     • Click on the "Job Details" tab.
     • In the right column, you will see several "artifact uploaded" entries.
     • Scroll down that list to find "target.dmg". That's the Mac disk image that you're looking for. Click on it to download, then follow the instructions.
2. It is very important to ensure that you test using a fresh profile, which can be done using either of the following approaches:
   • Refresh Firefox button -- Recommended way to restore the security certificate settings.
   • Create a new Firefox profile.
   • For more information about using a separate profile for testing, refer to the knowledge base articles:
     • Profile Manager
     • Manually restore the security certificate settings -- only perform as last resort.
3. When you restart Firefox, be sure to use the test build that you just downloaded and installed. It will have a different name, like "Nightly".
   • If you are testing on a Mac OS you may need to:
     • Change the Gatekeeper settings to allow 3rd party apps to be run. For details see bug 1090459.
     • Open a Terminal window (Applications->Utilities->Terminal.app) and type: "sudo spctl --master-disable". You will have to enter your system password. Be sure to type "sudo spctl --master-enable" when you are done, to reset back to the regular protection. For details see bug 1352203.
4. Check that your root certificate is included and the trust bits set correctly.
   • Open the Options/Preferences window:
     • Pull down the Firefox menu (or name of the test build, e.g Nightly) and select Preferences...
   • Select Privacy & Security
   • Scroll down to the 'Certificates ' section
   • Click on 'View Certificates' to open the Certificate Manager
   • Select Authorities
   • Find your root certificate and confirm that it is marked as "Builtin Object Token" in the Security Device column.
   • Click on your root certificate to highlight it, then click on "View..." to confirm the correct certificates (check Serial Number and Fingerprints), and then “Edit Trust…” to verify that the correct trust bits are checked.
5. Browse to websites that have TLS server certificates that chain up to this root cert. The appropriate UI should appear indicating it is a secure website. Click on the lock to view certificate details (">", "More Information", "View Certificate").
   • Note: EV-enablement is done in a separate bug, after the root has been included. So you will not see EV treatment during this testing.
6. Comment in the bug to indicate your testing results.

Common CA Database

CAs must follow Mozilla's Root Store Policy the entire time they have a root certificate included in Mozilla’s root store.

CAs are required to:

• Annually provide public-facing statement(s) of attestation of their conformance to the stated verification requirements.
• Notify Mozilla when its policies and business practices change in regards to verification procedures for issuing certificates, when the ownership control of the CA’s certificate(s) changes, or when ownership control of the CA’s operations changes.
• Ensure that Mozilla has their current contact information.

Additionally, CAs must maintain their data in the Common CA Database about:

• All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program that are not technically constrained via EKU.
• Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Mozilla’s CA Certificate Program and were not technically constrained via EKU.