MozillaRootCertificate

From MozillaWiki
Jump to: navigation, search

Mozilla operates multiple internal root CAs for issuing signed SSL certificates for a number of testing, pre-production and stage sites.

Legitimate public sites, including Mozilla sites, should never require you to trust these root CAs.

These root CAs are for internal use only. They are not trusted by Firefox, NSS, or any other Mozilla product. They will never be included in any trusted certificates store.

If you are helping us test one of these sites that uses a certificate signed by Mozilla, you might get a security warning.

This document tells you how you can tell your browser to trust the Mozilla CAs so that you don't get these warnings.

Mozilla SHA-2 Root CA

This is the current "Mozilla Root Certificate" internal CA as of February 2016, obsoleting the previous SHA-1 CA.

The Mozilla SHA-2 Root CA certificate and sha256 checksum can be downloaded from:

SHA1 Fingerprint=B3:1F:97:81:79:3C:3B:39:27:9B:B7:B7:03:CC:97:AB:90:50:02:FF
SHA256 Fingerprint=51:11:8D:20:EF:E1:DE:DE:70:7A:74:93:C7:97:F6:9F:13:53:97:03:04:50:A9:2B:9A:6F:15:D2:85:AA:A8:7E

Note that, as of February 2016, many sites still use signed certificates issued by the previous SHA-1 CA. We recommend installing the SHA-1 CA certificate through the end of 2016, by which time browsers will most likely terminate support for SHA-1 entirely.

Mozilla SHA-1 Root CA (deprecated February 2016)

The Mozilla SHA-1 Root CA certificate and md5 checksum can be downloaded from:

SHA1 Fingerprint: D7:C5:58:47:E4:D3:54:88:73:85:20:14:AE:4D:29:C4:AC:19:47:84
MD5 Fingerprint: 02:A3:29:30:03:D4:C1:A0:33:A0:44:AB:B0:D1:77:CF

Between October 2012 and January 2016, this certificate was also known as the "Mozilla Root Certificate".

Installation

Mozilla Firefox

Firefox uses its own Certificate Manager. The following procedure tells you how to import the Mozilla Root Certificate into your Firefox web browser.

  1. As of February 2016, the current and previous (now-obsolete) CAs can be installed by clicking each of these links:
    1. SHA-2 (current): https://www.mozilla.org/certs/mozilla-root-sha2.crt
    2. SHA-1 (obsolete): https://www.mozilla.org/certs/mozilla-root.crt
  2. Clicking each of these links will trigger the "trust a new CA" process in Firefox, which approximately can be described as follows. The fingerprints encountered should match the fingerprints shown above for the SHA-2 (current) and SHA-1 (obsolete) root CAs.
You have been asked to trust a new Certificate Authority (CA).

Do you want to trust "Mozilla Root CA" for the following purposes?

[ ] Trust this CA to identify web sites.
[ ] Trust this CA to identify email users.
[ ] Trust this CA to identify software developers.

Before trusting this CA for any purpose, you should examine its certificate
and its policy and procedures (if available).

[VIEW] Examine CA certificate

You should click on VIEW to check the certificate. Most important is that you check the fingerprints of the certificate. They should match the fingerprints above.

  1. Close the Certificate Viewer and check at least the first box ('Trust this CA to identify web sites.').
  2. Press OK and that's it.

If you want to check, modify, or delete the Mozilla Root Certificate you can access it at any time via:

  1. Open Edit -> Preferences -> Advanced or Open Tools -> Options -> Advanced
  2. Certificates -> Manage Certificates
  3. Authorities
  4. The Mozilla certificate is called Mozilla Root CA (Scroll down to 'R'!)
  5. Here you can View, Edit and Delete it.

Apple Safari

To add the Mozilla Root Certificate to Apple Safari, we need to use the Keychain Access application which is shipped with Mac OS X.

To install the certificate system-wide, you need to follow these steps:

  1. As of February 2016, the current and previous (now-obsolete) CAs can be installed by clicking each of these links:
    1. SHA-2 (current): https://www.mozilla.org/certs/mozilla-root-sha2.crt
    2. SHA-1 (obsolete): https://www.mozilla.org/certs/mozilla-root.crt
  2. Double-clicking on each of the files downloaded by these links will trigger the "trust a new CA" process in OS X, which approximately can be described as follows. The fingerprints encountered should match the fingerprints shown above for the SHA-2 (current) and SHA-1 (obsolete) root CAs.
  3. Double-click on the mozilla-___.crt file. The Keychain Access application will be launched.
  4. To check the certificate, click on the 'View Certificates' button on the left side of the dialog. A dialog with information about the certificate will pop up. Make sure the SHA1/MD5 fingerprints match.
  1. Select 'X509Anchors' from the 'Keychain' dropdownlist and press 'OK'.
  2. You will be asked to authenticate yourself. After that, the certificate will be installed system-wide.

Opera Web Browser

This applies to 8.02 Linux, not sure about 6.x or 7.x

  1. As of February 2016, the current and previous (now-obsolete) CAs can be installed by clicking each of these links:
    1. SHA-2 (current): https://www.mozilla.org/certs/mozilla-root-sha2.crt
    2. SHA-1 (obsolete): https://www.mozilla.org/certs/mozilla-root.crt
  2. Clicking each of these links will trigger the "trust a new CA" process in Opera, which approximately can be described as follows. The fingerprints encountered should match the fingerprints shown above for the SHA-2 (current) and SHA-1 (obsolete) root CAs.
  3. Click on 'Root Certificate (PEM Format)'
  4. Choose 'View'
  5. Check 'Allow connections to sites using this certificate'
  6. If desired, uncheck 'Warn me before using this certificate'

There seems to be an occasional problem getting the certification to pass on Opera 8.5 in Windows. Here is the workaround:

  1. Make sure cache is cleared.
  2. Attempt to get cert. via Opera ID'ing.
  3. Attempt to get while ID'ing as IE 6.0 (in Opera).
  4. Attempt to get while ID'ing as Opera again. This time, cert. should pass through.

It seems there is something about the caching where it wants both IE and Opera set at the same time before it will let the Opera cert. go through. Odd, but it works.

Microsoft Internet Explorer

If you want to install the Mozilla Root Certificate manually into Internet Explorer do the following:

  1. As of February 2016, the current and previous (now-obsolete) CAs can be installed by clicking each of these links:
    1. SHA-2 (current): https://www.mozilla.org/certs/mozilla-root-sha2.crt
    2. SHA-1 (obsolete): https://www.mozilla.org/certs/mozilla-root.crt
  2. Opening each of these downloaded files will trigger the "trust a new CA" process in Windows, which approximately can be described as follows. The fingerprints encountered should match the fingerprints shown above for the SHA-2 (current) and SHA-1 (obsolete) root CAs.
  3. In the File Download window, select Open.
  4. You should verify certificate details in the Certificate window.
  5. Click on Install Certificate to launch the Certificate Import Wizard
    1. The defaults are generally fine and you can just select Next.
    2. When prompted select Yes to install

Note: This procedure only adds the Mozilla Root Certificate to the current user.

External Documentation

All of this was taken from the following external sources:

Generating CSRs

If you want to generate your own CSR for Mozilla to sign, take a look at these two sites:

Obsolete "Mozilla Root CA", deprecated October 2012

This certificate is now considered deprecated as of October 2012, and is in the process of being replaced. If you find it used "in the wild", please let us know so we can work on replacing it.

The obsolete Mozilla Root CA Certificate and md5 checksum can be downloaded from:

SHA1 Fingerprint: B7:E6:8B:CC:DB:1A:12:26:82:B5:A2:93:F5:D3:0F:A6:44:64:85:D6
MD5 Fingerprint: 7F:1F:90:5A:5F:1F:4E:95:F8:33:AB:10:69:51:ED:BE