+++ This bug was initially created as a clone of Bug #793876 +++ We need to create the real, public certificate for signing apps on -prod.

This is important. We have daily meetings about progress on this topic so please give me an ETA and a responsible party I can bug. Thanks. :)

CC'ing security to make sure that the cert creation steps in Bug #793876 gets r+ and any other recommendations or issues.

Why aren't we using the marketplace HSMs for these certs?

Joe: We are. But we need someone with access to the marketplace HSMs to actually do the cert generation.

We need a way to generate the required cert/key pair using the HSM. The current script we use to generate for receipt signing gives us the cert in jwk and jwt format which does not work with app signing [1]. We would need them to be in x.509 format. I believe the key is generated in x.509 format. Any insight on how to generate the cert in the required format with the HSM would be great. [1] https://mana.mozilla.org/wiki/display/websites/Addons+signer#Addonssigner-Generatenewsigningkey

Here is temp cert. @bsmith can you verify? -----BEGIN CERTIFICATE----- MIIEDzCCAvegAwIBAgIEAgAAADANBgkqhkiG9w0BAQsFADCBmTEiMCAGA1UEAxMZ TWFya2V0cGxhY2VUZXN0IFJvb3QgQ0EgMTEbMBkGA1UECxMSTWFya2V0cGxhY2VU ZXN0IENBMSQwIgYDVQQKExtNYXJrZXRwbGFjZVRlc3QgQ29ycG9yYXRpb24xFjAU BgNVBAcTDU1vdW50YWluIFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzAe Fw0xMjEyMTMyMDE0MjFaFw0yMjEyMTEyMDE0MjFaMIG+MTIwMAYDVQQDEylNYXJr ZXRwbGFjZVRlc3QgTWFya2V0cGxhY2UgQXBwIFNpZ25pbmcgMTEwMC4GA1UECxMn TWFya2V0cGxhY2VUZXN0IE1hcmtldHBsYWNlIEFwcCBTaWduaW5nMSQwIgYDVQQK ExtNYXJrZXRwbGFjZVRlc3QgQ29ycG9yYXRpb24xFjAUBgNVBAcTDU1vdW50YWlu IFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBANSag5LgeksMnLga8i2jArFrKQlkLfuqCTMwh7omHv+4 R+az42m0mxM8l647Vj8yPp0hfRUkG4IqFrCt8ugDBCX/RCo0I2ffJmSE4dlhwzNk tT+IFb76ikNbCxtrRnxHCORKgc52sOEqZPFy9aTJInLg8VbJGJSwqxjRew7I7iJK Rydn9aPWW6ZQrrOXbBvCsiACou45rqF9SrK/U13wx6TD+DqHkqcqpuWSMYC8rzrG 6Py6oz9gp6ikrYHi6OUmDdSagjAUsyhs+RX4aG18teLpUGvcRsnH8zFiZfRzeE2u VspICEWYL4Jv4lxCM+5DGubG9ODSKFu4jppki/CSRU0CAwEAAaM4MDYwDAYDVR0T AQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwMw DQYJKoZIhvcNAQELBQADggEBALSVTcGK2nYw7M9cNvOv4NJ6wsVuh3Kf8w+UTrja Wgi/V3+ndpSpCOluxEfTigSAqkSMlScWLW0ysV1MLi64YTzAzHWumyJxilr7oy94 49ejG0PW+1wRDPmaTdtQ4Dv+aSayMFOpPxE4XAQNt9AmZZcDaLEoXEO7BtFbsbWT sbdaIiYvj1IVldOJ/sUruk4Qw9RcPyGqmlWtxg64Ou8AFMHS0APhwiE7DB9rVWZK nNWqp6SPcqvx6m16bTDv+8CExPQ9QPq+O4dnSrwWxuU0OL/lP4lSeJaMXtmozwTv LsYcyKte1bqUWrDFspSl5Xi9zEo+Rf4BkyC1JbR8v2TJUOw= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIID6jCCAtKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTEiMCAGA1UEAxMZTWFy a2V0cGxhY2VUZXN0IFJvb3QgQ0EgMTEbMBkGA1UECxMSTWFya2V0cGxhY2VUZXN0 IENBMSQwIgYDVQQKExtNYXJrZXRwbGFjZVRlc3QgQ29ycG9yYXRpb24xFjAUBgNV BAcTDU1vdW50YWluIFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzAeFw0x MjEyMTMyMDE0MThaFw0yMjEyMTEyMDE0MThaMIGZMSIwIAYDVQQDExlNYXJrZXRw bGFjZVRlc3QgUm9vdCBDQSAxMRswGQYDVQQLExJNYXJrZXRwbGFjZVRlc3QgQ0Ex JDAiBgNVBAoTG01hcmtldHBsYWNlVGVzdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBxMN TW91bnRhaW4gVmlldzELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVTMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvIOvvDJiLGozUOKfJuiLFCpkCVfSWmkb 5myLVDJJtY8aP4fFZ/Wu+iGKeDRl+qUIlpTtgHjheoufoNSxs5ggJHuBZlYy3VTc eAtBaC+VJ2ysVydAbFGyjjnmLfNVs5LRVwPc50LqK89+9uNM7QGh0fxq5GQ9pNTP gDTRHAB3HqnO2M87+LJ4b49GN8CAQBIrtT77RHNHy42TstUUUChJ6oF8zSmS0PeU 85uPwdTrKD/Mj7LXc2LlNUAzZABHi6CQgx+vLKUgi5XL0W584p7awMEO/+2bjoc2 E64yvagdqGP1IbkVv2672Nhpr0VSupCcDY793cLsIlo+hFIEkmES9wIDAQABozsw OTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAWBgNVHSUBAf8EDDAK BggrBgEFBQcDAzANBgkqhkiG9w0BAQUFAAOCAQEAdB8KQa5YE8kFY/Hq3hF7D6lf xFzTyRmwjPTmcfRy855G52bB+er7d3zTNUZhxlmAFGpOTLcgHiekBzaFEqh6f6hD UNWMC1niKk/0L+Q5+QPfhIc1GrGGpdMokjEzFh2PVPAsnCXv7kcJdTmr1yB84etf huokzft70lEhSo3FhQPACkLWr9LpmqP4K8Qze4N7fK3+qXHym7Hx49cF7wlxMNpH BJLUt9zhbZZERHso27LFEdcrZovdhMq9f+Qlnmd+98EEMUfmkOcsbts5iAi93ltw KXuVF8ewQ/ns0j2aot36If2otyqDDZZpzUCv653pjHXG6WQ6FT7jc9BZ5Nnagw== -----END CERTIFICATE-----

(In reply to Jason Thomas [:jason] from comment #6) > Here is temp cert. @bsmith can you verify? Please attach a packaged app signed with this cert.

(In reply to Brian Smith (:bsmith) from comment #7) > (In reply to Jason Thomas [:jason] from comment #6) > > Here is temp cert. @bsmith can you verify? > > Please attach a packaged app signed with this cert. Would someone be able to provide me with instructions or assist me with this?

(In reply to krupa raj 82[:krupa] from comment #10) > Created attachment 694112 [details] > signed packaged app for verification I verified that I am able to use the root certificate above to validate this app.

This bug blocks bug 822944, which is tef+. Changing priority to P1 as this is need to resolve this on device bug.

Clarifying that we are indeed blocked on bug 769729 (actually doing the HSM-based initial key gen which requires a physical, in-person key ceremony). Will update with an ETA shortly.

So we have a temp cert here (comment #6)? Is that usable while we wait on the HSM-generated cert?

Can we get a status update here?

We need to regenerate the certs, but per bug 769729 since we shipped the HSM machines to PHX for final production installation we're waiting for them to be physically re-installed before we can do the re-generation "ceremony". That work is underway (captured in the dep tree), ETA is Tuesday, Feb 12th.

Before we commit to any ETA's or deadlines, I want to make sure we (OpSec) have all of the relevant information for the certs.

Current generation scripts for CA, CSRs, and CSR signing (as well as Security World operations) are located here: https://mana.mozilla.org/wiki/download/attachments/26416648/hsm_scripts-marketplace.tar.gz.gpg?version=1&modificationDate=1360623470254&api=v2 These are signed by the OpSec key and are the scripts to be used to regenerate the CA and CSRs for the final generation. Thus those are the ones to check. They're basically the same as the test ones, except for removing "test" in the CN's and using SHA384 instead of SHA512 (per bsmith request)

Guillaume's scripts and configs look correct but for one thing. First the correct items: - 2048 bit RSA keys - SHA-384 as the default digest algorithm for certificates - 10 years for the root CA certificate - 5 years for the signing certificate - code signing EKU for the code signing certificate requests and certification - CN entries are as discussed in prior email thread There is one thing that may need correction to make sure we don't inadvertently shoot ourselves in the foot at some point months or years from now. The root CA certificate should have the code signing EKU added as critical. That way if/when Gecko is modified to verify that an entire certificate chain has a given key usage application verification won't suddenly stop working.

This is the 2nd revision: https://mana.mozilla.org/wiki/download/attachments/26416648/hsm_scripts-marketplace-2.tar.gz.gpg?version=1&modificationDate=1360627052958&api=v2 Changes: Added extendedKeyUsage=critical,codeSigning to [v3_ca_moz] in certs/ca/openssl.cnf Changed policy to allow the use of the EKU in the CA. Note: this differs from commonly accepted SSL CA policies (as this is not to be used for a SSL CA, this may be ok).

Key Signing Ceremony tomorrow in Mountain View (THANK YOU JOE!!) After discussion with rtilder, reassigning this bug to Joe and new bug comin' up for Jason to deploy certs to appropriate servers.

The key ceremony is completed, we have generated a new root ca as per comment 20 scripts. Please verify and use the attached certificates if confirmed valid. Thanks!

The generated certificates do appear to conform to the specs laid out in earlier comments.

(In reply to Ryan Tilder [:rtilder] from comment #23) > The generated certificates do appear to conform to the specs laid out in > earlier comments. Can you comment further about what needs to be done to correct this and how they don't conform? Sorry if you've already address the issues off-bugzilla.

Sorry, I read "do appear to conform" as "do not appear to conform". Ignore comment 24.

Joe S Can we close this bug?

All done!

We're tracking bug 822944, so we can - this.

reopened - see comments in 840368 open questions in https://etherpad.mozilla.org/dLWLvIJr4o

Copy of the certificates, reports, and generation files from https://bugzilla.mozilla.org/show_bug.cgi?id=840368 Those are the final reviewers and production certificates.

See bug 840368 for more information has most of the work has been done there. Certs have been reviewed and tested for app signing and parameters agreed upon in the aforementioned bug 840368 and bug 845642