[Mozilla Enterprise] Revoking internal intermediate CA certificate
Dana Keeler
dkeeler at mozilla.com
Thu Mar 11 21:18:28 UTC 2021
Firefox does not check OCSP for any intermediate certificates except
when verifying an extended validation certificate (note that third-party
PKIs cannot issue certificates that Firefox will consider to be EV).
Firefox does not check CRLs at all.
OneCRL is a manually-curated list of revoked certificates from the web
PKI, so it doesn't cover third-party PKIs.
Short of hosting your own Remote Settings server
(https://wiki.mozilla.org/Firefox/RemoteSettings) and including your
revocations in your own version of OneCRL, there's no way to do what
you're describing.
On 3/10/21 08:58, Martin Germann wrote:
> I looks like Firefox is not checking intermediate CA certificates using OCSP
> or CRL's. Found some sites saying that intermediate CA revocation
> information is published using OneCRL (not sure if this information is
> accurate).
>
> That means that if I have an internal CA and would need to revoke an
> intermediate CA certificate signed by my root CA, Firefox would never
> notice. Any way to solve this?
>
>
>
> Regards,
>
> Martin
>
>
>
> _______________________________________________
> Enterprise mailing list
> Enterprise at mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to enterprise-request at mozilla.org with a subject of "unsubscribe"
>
More information about the Enterprise
mailing list