Clarification on BRs 2.2 Compliance for Test Web Pages (Cross-Certification Scenario)

[大野 文彰]

Greetings all,

 

We would like to confirm an interpretation of the BRs 2.2 requirement for hosting test Web pages.

 

Scenario: 

Root A currently has no active subordinate CAs directly under it, or they are scheduled for revocation. 

Root A has issued a cross-certificate to Root B. 

Under Root B, there are active subordinate CAs (Sub-TLS-CA-B1 and Sub-TLS-CA-B2) that issue TLS certificates.

 

Structure:

Root A 

├─ (Revoked or scheduled for revocation) Sub-TLS-CA-A1 

├─ (Revoked or scheduled for revocation) Sub-TLS-CA-A2 

└─ Cross Certificate (to Root B) 

  ├─ Sub-TLS-CA-B1 (Active, issues EE certificates; issued from Root B) 

  └─ Sub-TLS-CA-B2 (Active, issues EE certificates; issued from Root B)

 

Intent: 

Root A is included in all major browser root stores, while Root B is only included in some. 

Therefore, we plan to continue WebTrust audits for Root A until Root B is included in all major browser root stores and widely distributed across devices such as PCs and smartphones. 

To meet BRs 2.2 requirements during this period, we are considering using Sub-TLS-CA-B1 or Sub-TLS-CA-B2 (under Root B) to issue the test certificates for Root A.

 

Questions:

(1) If Sub-TLS-CA-A1 and Sub-TLS-CA-A2 are about to be revoked, would it be acceptable to register test Web pages in the CCADB using end-entity certificates issued by Sub-TLS-CA-B1 or Sub-TLS-CA-B2 (under Root B), assuming they build a valid path to Root A?

 

(2) Even if Sub-TLS-CA-A1 and Sub-TLS-CA-A2 are not yet revoked, but a cross-certificate from Root A to Root B has already been issued, would it still be acceptable to register test Web pages in the CCADB using end-entity certificates issued by Sub-TLS-CA-B1 or Sub-TLS-CA-B2 (under Root B), assuming they build a valid path to Root A?

 

 

Reference: 

Baseline Requirements Section 2.2 – Publication of Information 

https://github.com/cabforum/servercert/blob/main/docs/BR.md#22-publication-of-information

The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are i. valid, ii. revoked, and iii. expired.

 

We would appreciate your guidance on whether this approach meets the intent of BRs 2.2.

 

Thank you for your support.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems CO., LTD.

 

[Corey Bonnell]

Since it seems no one has responded, I’ll give my opinion and anyone who disagrees is free to reply 😊

 

My understanding is that the requirement for hosting test websites is so that certificate-consuming software can validate whether it is properly processing certification paths that terminate in each trust anchor in its trust store. It appears that Sub-TLS-CA-B1 and Sub-TLS-CA-B2 have valid certification paths to both Root A and Root B.

 

Given this, I believe the answer to both questions is “Yes”.

 

Thanks,

Corey

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/TYCP286MB27338A59E7D4712D3845C03DAE01A%40TYCP286MB2733.JPNP286.PROD.OUTLOOK.COM.

[大野 文彰]

Hello Corey-san,

Thank you very much for your response.

We had a similar understanding — that unless both (1) and (2) are answered “Yes”, it could become increasingly difficult to efficiently decommission older subordinate CAs during future Root CA transitions.

We appreciate your confirmation that using test certificates from Sub-TLS-CA-B1 or Sub-TLS-CA-B2 (under Root B) is acceptable as long as they build a valid path to Root A.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems CO., LTD.

 

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/IA1PR14MB6197A817326C884484A078F49214A%40IA1PR14MB6197.namprd14.prod.outlook.com.

[Roman Fischer]

I concur and this is also how we're handling it with our new roots and ICAs.

 

Rgds
Roman

 

From: 'Corey Bonnell' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Dienstag, 16. September 2025 21:21
To: server...@groups.cabforum.org

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/IA1PR14MB6197A817326C884484A078F49214A%40IA1PR14MB6197.namprd14.prod.outlook.com.

[大野 文彰]

Hello Roman-san,

 

Thank you for confirming. 

It’s reassuring to know that your team is handling the scenario in the same way with your new roots and ICAs. 

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems CO., LTD.

 

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/ZR0P278MB0170F00F5BB913C382A86325FA11A%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.