Firefox does not check OCSP for any intermediate certificates except
when verifying an extended validation certificate (note that third-party
PKIs cannot issue certificates that Firefox will consider to be EV).
Firefox does not check CRLs at all.
OneCRL is a manually-curated list of revoked certificates from the web
PKI, so it doesn't cover third-party PKIs.
Short of hosting your own Remote Settings server
(https://wiki.mozilla.org/Firefox/RemoteSettings) and including your
revocations in your own version of OneCRL, there's no way to do what
you're describing.
On 3/10/21 08:58, Martin Germann wrote:
I looks like Firefox is not checking intermediate CA certificates using OCSP
or CRL's. Found some sites saying that intermediate CA revocation
information is published using OneCRL (not sure if this information is
accurate).
That means that if I have an internal CA and would need to revoke an
intermediate CA certificate signed by my root CA, Firefox would never
notice. Any way to solve this?
Regards,
Martin
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise
or send an email to [email protected] with a subject of
"unsubscribe"
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise
or send an email to [email protected] with a subject of
"unsubscribe"
