[cabfpub] Grace Periods for Subordinate CA Certificates

Kathleen Wilson kwilson at mozilla.com
Thu Oct 31 18:05:44 UTC 2013


I would like to clarify a couple of things regarding the grace periods 
that Mozilla established for complying with version 2.1 of Mozilla's CA 
Certificate Policy.

As a reminder, the requirement to comply with the Baseline Requirements 
was added to version 2.1 of Mozilla's CA Certificate Policy, which was 
published in February 2013. Recognizing that CAs would need time to 
transition their own operations as well as their subordinate CA 
customers to this new policy, Mozilla granted the following grace periods.


"As of February 2013, SSL certificate issuance must also be audited 
according to the Baseline Requirements (BRs), as described above. The 
first BR audit for each CA and subCA may include a reasonable list of 
BRs that the CA (or subCA) is not yet in compliance with. The second BR 
audit (the following year) is expected to confirm that the issues that 
were listed in the previous BR audit have been resolved."


"- All subordinate CA certificates that are issued after May 15, 2013 
must comply with version 2.1 of the Inclusion Policy

- All pre-existing subordinate CA certificates must be updated to comply 
with version 2.1 of the Inclusion Policy for new certificate issuance by 
May 15, 2014.

- All certificates that are capable of being used to issue new 
certificates must comply with version 2.1 of the Inclusion Policy for 
new certificate issuance by May 15, 2014."

Unfortunately, when creating these grace periods I overlooked the 
situation where a currently-valid subordinate CA's intermediate 
certificate expires before May 15, 2014, but they need more time to 
transition to their new CA hierarchy. Therefore, Mozilla wishes to 
clarify that it is OK to re-issue externally-operated intermediate CA 
certificates that are not yet fully compliant with the BRs in order to 
extend the validity period of the currently-valid intermediate CA 
certificate until May 15, 2014. That is, the replacement certificate's 
notAfter date would be May 15, 2014 or earlier. If there are no concerns 
about this, I will add it to the wiki page above (after discussing in 

Also, note that version 1.1.6 of the BRs included BR 9.7 regarding 
technically constraining subordinate CA certificates, and the effective 
date of that version of the BRs is July 29, 2013. However, Mozilla's 
grace periods as previously stated and described above still stand.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131031/939e33f3/attachment-0002.html>

More information about the Public mailing list