PSM:EV Testing Easy Version: Difference between revisions
mNo edit summary |
|||
| Line 50: | Line 50: | ||
== Test Failure? == | == Test Failure? == | ||
The purpose of this test is to make sure you have set up EV according to the [https://www.cabforum.org/documents.html EV Guidelines], so make sure you have not taken short-cuts like issuing the test cert directly from the root. | |||
* OCSP must work without error for the intermediate certificates. For more information see: https://wiki.mozilla.org/CA:EV_Revocation_Checking#Requirements | * OCSP must work without error for the intermediate certificates. For more information see: https://wiki.mozilla.org/CA:EV_Revocation_Checking#Requirements | ||
* The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.) | * The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.) | ||
* If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access from Amazon EC2 instances. | |||
== About the Testing Tool == | |||
The Testing Tool... | |||
* Basically runs a program on a remote computer rather than the user's browser, so it should work with any browser/version. | |||
* Does not interact with the user's profile, so the user does not need to import the root certificate in order to run the tool. The web server must serve up the intermediate cert(s) along with the end-entity cert. | |||
* Runs on an [http://aws.amazon.com/ec2/ Amazon EC2 instance], so your test website must be accessible from Amazon EC2 instances. | |||
Revision as of 23:02, 22 September 2014
This page is for Certificate Authorities (CAs) who request to have a root certificate enabled for Extended Validation (EV) treatment, and need to test that their CA hierarchy is ready for EV treatment.
To request that your root certificate be included in NSS and enabled for EV treatment, start with the Mozilla CA Certificate Policy and the How to Apply guidelines.
This page explains how you can test that your certificates and OCSP infrastructure are working correctly according to the expectations of Mozilla, Firefox, and the NSS library; and conforms to the SSL protocol specifications (as interpreted by Mozilla/NSS software.)
EV-Readiness Check
To test your CA hierarchy to see if it is ready to request EV treatment:
- Browse to http://cert-checker.allizom.org/
- Enter the URL to the test website for the EV certificate
- Enter the PEM file for the root certificate (ending of file may be .pem or .cert)
- Enter the EV Policy OID
- Enter text Description, e.g. "CA Name EV OID"
- Click on "Run Checker"
A successful output will have the following form, as documented in ExtendedValidation.cpp
| // CN=<CN of root cert>,OU=<OU of root cert>,O=<O of root cert>C=<C of root cert> | ||
| "1.3.6.1.4.1.13769.9.1", | //EV Policy OID | |
| "CA Name EV OID", | //From Description field | |
| SEC_OID_UNKNOWN, | ||
| { 0x2D, 0x94, 0x52, 0x70, 0xAA, 0x92, 0x13, 0x0B, 0x1F, 0xB1, 0x24, | //SHA-256 fingerprint | |
| 0x0B, 0x24, 0xB1, 0xEE, 0x4E, 0xFB, 0x7C, 0x43, 0x45, 0x45, 0x7F, | ||
| 0x97, 0x6C, 0x90, 0xBF, 0xD4, 0x8A, 0x04, 0x79, 0xE4, 0x68 }, | ||
| "MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu" | //Issuer DER Base64 | |
| "IFZpZXcxIzAhBgNVBAoMGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD" | ||
| "VGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0E=", | ||
| "At+3zdo=", | //Serial DER Base64 | |
| Success! |
If you have requested EV treatment in a Bugzilla bug, then attach a screen shot to the bug that shows this successful output.
Test Failure?
The purpose of this test is to make sure you have set up EV according to the EV Guidelines, so make sure you have not taken short-cuts like issuing the test cert directly from the root.
- OCSP must work without error for the intermediate certificates. For more information see: https://wiki.mozilla.org/CA:EV_Revocation_Checking#Requirements
- The EV Policy OID in the end-entity and intermediate certificates must match the EV Policy OID that you enter. (Note: the intermediate cert can use the anyPolicy oid rather than the EV policy oid.)
- If the test website cannot be reached by the server hosting the tool, check to see if you have a firewall preventing access from Amazon EC2 instances.
About the Testing Tool
The Testing Tool...
- Basically runs a program on a remote computer rather than the user's browser, so it should work with any browser/version.
- Does not interact with the user's profile, so the user does not need to import the root certificate in order to run the tool. The web server must serve up the intermediate cert(s) along with the end-entity cert.
- Runs on an Amazon EC2 instance, so your test website must be accessible from Amazon EC2 instances.