info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Updating CCADB PEM extracted data June 18-22
121 views
Skip to first unread message
Kathleen Wilson
Jun 18, 2018, 1:59:35 PM6/18/18
to mozilla-dev-s...@lists.mozilla.org
All,
We will begin the CCADB migration to the new PEM-extraction tool today,
and expect to be done by Friday. It will take a couple days to make all
the changes, re-run the PEM-extraction over all of the data, update
reports, etc.
The CCADB and reports will continue to be available during the
migration, but there may be momentary inconsistencies in the
PEM-extracted data and fields. Note that these are read-only fields in
the CCADB.
The most noticeable changes will be:
1) Certificate Serial Number
New value is upper case. (e.g. old: 35def4cf, new: 35DEF4CF)
2) SHA-1 Fingerprint and SHA-256 Fingerprint
Removing the colons.
OLD:
08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78
NEW: 08297A4047DBA23680C731DB6E317653CA7848E1BEBD3A0B0179A707F92CF178
3) "Certificate ID" field will be replaced by a new "Subject + SPKI
SHA256" field, and a new "SPKI SHA256" field will be added.
Removing the colons.
OLD:
4F:31:A6:06:59:45:EA:BC:6A:45:CB:AD:72:D8:0A:20:A4:40:0E:55:05:B9:2A:0C:4C:F1:F6:C1:A3:10:92:9F
NEW: FF5680CD73A5703DA04817A075FD462506A73506C4B81A1583EF549478D26476
4) New Signature Hash Algorithm values
NEW Values:
ecdsaWithSHA256
ecdsaWithSHA384
MD5WithRSA
SHA1WithRSA
SHA256WithRSA
SHA384WithRSA
SHA512WithRSA
5) New Key Usage values
NEW Values:
CRL Sign
Digital Signature
Non Repudiation
Key Encipherment
Certificate Sign
Key Agreement
6) New Extended Key Usage values
NEW Values:
ExtKeyUsageOCSPSigning
ExtKeyUsageIPSECEndSystem
ExtKeyUsageIPSECTunnel
ExtKeyUsageIPSECUser
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageServerAuth
ExtKeyUsageTimeStamping
ExtKeyUsageMicrosoftServerGatedCrypto
ExtKeyUsageNetscapeServerGatedCrypto
7) Technically Constrained
Checkbox will be updated according to Mozilla's current policy (e.g. EKU
*and* Name Constraints)
I will appreciate your patience this week, during this migration.
Thanks,
Kathleen
We will begin the CCADB migration to the new PEM-extraction tool today,
and expect to be done by Friday. It will take a couple days to make all
the changes, re-run the PEM-extraction over all of the data, update
reports, etc.
The CCADB and reports will continue to be available during the
migration, but there may be momentary inconsistencies in the
PEM-extracted data and fields. Note that these are read-only fields in
the CCADB.
The most noticeable changes will be:
1) Certificate Serial Number
New value is upper case. (e.g. old: 35def4cf, new: 35DEF4CF)
2) SHA-1 Fingerprint and SHA-256 Fingerprint
Removing the colons.
OLD:
08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78
NEW: 08297A4047DBA23680C731DB6E317653CA7848E1BEBD3A0B0179A707F92CF178
3) "Certificate ID" field will be replaced by a new "Subject + SPKI
SHA256" field, and a new "SPKI SHA256" field will be added.
Removing the colons.
OLD:
4F:31:A6:06:59:45:EA:BC:6A:45:CB:AD:72:D8:0A:20:A4:40:0E:55:05:B9:2A:0C:4C:F1:F6:C1:A3:10:92:9F
NEW: FF5680CD73A5703DA04817A075FD462506A73506C4B81A1583EF549478D26476
4) New Signature Hash Algorithm values
NEW Values:
ecdsaWithSHA256
ecdsaWithSHA384
MD5WithRSA
SHA1WithRSA
SHA256WithRSA
SHA384WithRSA
SHA512WithRSA
5) New Key Usage values
NEW Values:
CRL Sign
Digital Signature
Non Repudiation
Key Encipherment
Certificate Sign
Key Agreement
6) New Extended Key Usage values
NEW Values:
ExtKeyUsageOCSPSigning
ExtKeyUsageIPSECEndSystem
ExtKeyUsageIPSECTunnel
ExtKeyUsageIPSECUser
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageServerAuth
ExtKeyUsageTimeStamping
ExtKeyUsageMicrosoftServerGatedCrypto
ExtKeyUsageNetscapeServerGatedCrypto
7) Technically Constrained
Checkbox will be updated according to Mozilla's current policy (e.g. EKU
*and* Name Constraints)
I will appreciate your patience this week, during this migration.
Thanks,
Kathleen
Kathleen Wilson
Jun 19, 2018, 3:04:22 PM6/19/18
to mozilla-dev-s...@lists.mozilla.org
Most of the PEM data in the CCADB has been updated using the new tool.
There are 5 records (listed below) that the new tool fails to do the PEM
extraction for, so I am updating their PEM data manually.
Suva Root CA 1 Intermediate Certificate (Revoked)
832266D6BA8CBFCBF28E0614A01D9F4C39B8E41F7C87D2077DBB6C03840CA9C2
Error Statuscode: 400 Message: Could not parse X.509 certificate: x509:
failed to parse rfc822Name constraint "@suva.ch"
SSL.com EV Code Signing Intermediate CA RSA R2 Intermediate Certificate
(Technically Constrained via EKU to codeSigning)
D8:D3:82:E3:7D:2F:93:81:1A:A3:D9:40:EE:F4:C6:EE:A4:7B:B3:BA:50:27:1A:8B:F2:E8:C2:4C:DD:39:3C:56
Error Statuscode: 400 Message: Failed to parse certificate PEM
SSL.com EV Timestamping Intermediate CA RSA R1 Intermediate Certificate
(Technically Constrained via EKU to timeStamping)
55:4E:3A:E3:14:AF:F2:64:D3:FD:E7:F2:BB:C8:18:F2:E7:34:D9:4B:33:62:08:ED:EF:E7:C3:7B:16:2B:6A:96
Error Statuscode: 400 Message: Failed to parse certificate PEM
DPDHL TLS CA I3 Intermediate Certificate
(Revoked)
5F:FD:ED:E8:29:57:B4:3D:46:76:B1:CF:CC:39:CE:B1:50:DC:63:DB:FC:33:E2:6D:99:CA:A9:B9:76:2A:45:64
Error Statuscode: 400 Message: Could not parse X.509 certificate: x509:
failed to parse dnsName constraint "leserservice-media.de "
DPDHL TLS CA I3 Intermediate Certificate
(Revoked)
60:61:F7:73:35:4C:D2:ED:56:13:A0:94:AB:0E:82:70:D5:C2:47:99:32:B4:2D:FD:A7:27:DB:83:FE:BD:18:B8
Error Statuscode: 400 Message: Could not parse X.509 certificate: x509:
failed to parse dnsName constraint "leserservice-media.de "
Please let me know if you notice any problems with the new data in the
CCADB.
Thanks,
Kathleen
There are 5 records (listed below) that the new tool fails to do the PEM
extraction for, so I am updating their PEM data manually.
Suva Root CA 1 Intermediate Certificate (Revoked)
832266D6BA8CBFCBF28E0614A01D9F4C39B8E41F7C87D2077DBB6C03840CA9C2
Error Statuscode: 400 Message: Could not parse X.509 certificate: x509:
failed to parse rfc822Name constraint "@suva.ch"
SSL.com EV Code Signing Intermediate CA RSA R2 Intermediate Certificate
(Technically Constrained via EKU to codeSigning)
D8:D3:82:E3:7D:2F:93:81:1A:A3:D9:40:EE:F4:C6:EE:A4:7B:B3:BA:50:27:1A:8B:F2:E8:C2:4C:DD:39:3C:56
Error Statuscode: 400 Message: Failed to parse certificate PEM
SSL.com EV Timestamping Intermediate CA RSA R1 Intermediate Certificate
(Technically Constrained via EKU to timeStamping)
55:4E:3A:E3:14:AF:F2:64:D3:FD:E7:F2:BB:C8:18:F2:E7:34:D9:4B:33:62:08:ED:EF:E7:C3:7B:16:2B:6A:96
Error Statuscode: 400 Message: Failed to parse certificate PEM
DPDHL TLS CA I3 Intermediate Certificate
(Revoked)
5F:FD:ED:E8:29:57:B4:3D:46:76:B1:CF:CC:39:CE:B1:50:DC:63:DB:FC:33:E2:6D:99:CA:A9:B9:76:2A:45:64
Error Statuscode: 400 Message: Could not parse X.509 certificate: x509:
failed to parse dnsName constraint "leserservice-media.de "
DPDHL TLS CA I3 Intermediate Certificate
(Revoked)
60:61:F7:73:35:4C:D2:ED:56:13:A0:94:AB:0E:82:70:D5:C2:47:99:32:B4:2D:FD:A7:27:DB:83:FE:BD:18:B8
Error Statuscode: 400 Message: Could not parse X.509 certificate: x509:
failed to parse dnsName constraint "leserservice-media.de "
Please let me know if you notice any problems with the new data in the
CCADB.
Thanks,
Kathleen
0 new messages