Instructions documented in bug#677025#c4 and then updated in bug#696775. Please read both bugs before starting

joduinn briefed me on this a bit, I'll be looking at this in the next few weeks, well in advance of expiry.

To be clear, this seems to be about both the Release and Nightly certs. The Release one expires on the 29th and the Nightly one expires on the 31st, according to my dump of them with openssl.

08:54 < catlee-away> [22:11:40] bhearsum|afk: if you're getting the new code signing certs, I'm pretty sure they're used for XPI hotfixes, and so the public keys need to be included in firefox itself 08:55 < bhearsum|afk> catlee-away: so after getting the new certs, i need to import the public keys into m-c (and backport everywhere, i assume) 08:57 <@catlee> yeah, I guess so 08:57 <@catlee> I think it supports multiple fingerprints 08:58 < bhearsum> ok, i'll look into it 08:58 < bhearsum> thanks!

I initiated the purchase for both of these keys today. Current status is "pending", with the following text: Typical processing time for your SSL Certificate is two business days or less. At this time, no action is required from you. If there is anything else Thawte needs from your organization, Thawte will send email notification or call, in addition to displaying an alert in this status page. Does this answer your status question? If not, click here. I'll be following up tomorrow/Monday if we see no progress.

OK, this is almost done now. We have the new certs in hand, and I've installed them onto the signing servers. Nightly builds are already getting signed with the new keys, and the next set of releases will get signed with the new set of release keys. Last thing to do here is to put the new release key in the NSS keyring and make sure we can do XPI signing with them. I have some minor updates to https://intranet.mozilla.org/RelEngWiki/index.php/Signing#Inventory to do, too.

OK, new cert installed everywhere, imported to an NSS keystore, and docs updated.