Confirm, administrator
5,526
edits
Changes
m
→OCSP
Mozilla strongly recommends that OCSP be provided for certificates chaining to CAs that are included in NSS. OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443.
Section 11.1.1 of the [[http://www.cabforum.org/Guidelines_v1_2.pdf CA/B Forum Guidelines for Extended Validation Certificates]] says: ''It is strongly RECOMMENDED that all CAs support OCSP when a majority of deployed Web servers support the TLS 1.0 extension in accordance to RFC 3546, to return “stapled” OCSP responses to EV-enabled applications. CAs MUST support an OCSP capability for Subscriber Certificates that are issued after Dec 31, 2010.''
After December 31, 2010, Mozilla will require that OCSP be supported and working without error for all EV certificates chaining up to root certificates included in NSS.
RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly.
You MUST test your OCSP service in Firefox! We expect OCSP responders to function without error in Mozilla products. To test in Firefox:
* Check the box for "When an OCSP server connection fails, treat the certificate as invalid"
* You may need to clear your cache
* Browse to a website whose SSL certificate had chains up to your root and has the corresponding OCSP URI in the AIA extension.
Errors that CAs sometimes encounter when testing OCSP in Firefox:
** That error message appears because the OCSP responder responds to the OCSP request with an error.
* Error code: sec_error_ocsp_invalid_signing_cert
** OCSP Signing cert has not been imported. Mozilla users should not have to find and install the OCSP responder's certificate. See [[CA:Problematic_Practices#OCSP_Responses_signed_by_a_certificate_under_a_different_root|Potentially Problematic Practices.]]
* Error code: sec_error_bad_database
** If you were trying to find/fetch something, it cannot be found.
