On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> We have a customer at the VA who uses an Entrust root: > Issuer Entrust > > AIA: > http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c > > They are repeatedly flagged by DHS for not using a trusted certificate and > using a self-signed certificate. DHS uses Mozilla Trust Store. > > Taking a look at the following file: > > https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu > iltins/certdata.txt > <https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt>, > we can see that everything pertaining to Entrust end in > .NET. > > The Entrust CA our customer uses ends in .COM. Both extensions are the > same > thing. How can we have the .COM certificate added Globally to Mozilla's > Trust Store? This will resolve the issues being reported by DHS for us. > Any help on this would be greatly appreciated. > Hi Derek, Entrust Datacard runs a number of different CAs. The various CAs are intended for various purposes. The CA you are using is intended for government-only applications. The CAs that are included in the Mozilla Trust Store are intended for citizen or business-facing applications. It sounds like DHS is recommending that you use a certificate that is designed for citizen or business-facing applications. I would talk to Entrust Datacard or another CA in the Mozilla Trust Store to see about getting a new certificate. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy