Hi,
SSL Labs finds one of the certificates into my chain as "not trusted" so declares my server certificate not trusted.
FNMT-RCM / AC RAIZ FNMT-RCM appears as self-signed because it's the CA root itself.
On the other hand, Qualys declares "SSL Labs does not maintain its own trust store; instead we use the store maintained by Mozilla." but it seems Mozilla do trust this certificate because it's present on Mozilla Firefox store:
Why SSL Labs doesn't trust this certificate?
Hi @mmurray, you're absolutely right, I overlooked that.
In this case, I suspect we only have the option to request to this CA to solve this situation if we want to get an A certificate on SSL Labs.
Thanks!
Hi,
i think you should know that it take some time to get added to Mozilla/Microsoft/Chrome.
So if they are now already in the process it is maybe faster got get an free cert from other place
than to wait for getting an new CA added.
Free Certs: StartSSL / WoSign
Hi tlussnig
Thanks for the advice but by now my company can't use another CA. As you said, yes, it seems it'll take a long time because the actual situation still is Queue for Public Discussion.
https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
BTW, another free cert: Let's Encrypt
BTW, another free cert: Let's Encrypt
Let's Encrypt is not operational yet. From there forum [1]: the Let's Encrypt CA is planning for general availability of its services in the week of November 16, 2015.
By the way it is also interesting that Let's Encrypt certificates will only be valid for 90 days. The main idea is to produce renewal process fully automated [2]: At launch all certificates will have a lifetime of exactly 90 days. [...] Part of the rationale for the 90 day number is that when certs are renewed only once a year, a lot can change. The person in charge might forget how to do it, or leave the organization, or change email addresses, etc. A shorter lifetime will hopefully encourage people to automate the renewal process, and we'll provide tools to help with that.
[1] Beta application approval time? - Let's Encrypt Community Support
[2] Maximum (and minimum) certificate lifetimes? - Issuance Policy - Let's Encrypt Community Support
Hi.
Now FNMT-RCM certificate is included in the current list: https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport since firefox v51, but ssllabs still doesn't trust it. Anybody knows if there is an estimated date to fix this issue?
Thanks so much!
It will reflect in next SSL Labs release. SSL Labs uses Mozilla trust store and It is updated before every release.
Next release will be first available on dev.ssllabs.com. We will let you know once next version is deployed.
SSL Labs trust store is updated please verify on dev.ssllabs.com
Tested and working on dev.ssllabs.com
Thanks
Are you sure you haven't added it as a trusted cert within Mozilla? Not listed in the official list https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
And showing as 'Need Information from CA' within the pending CA certificate list https://mozillacaprogram.secure.force.com/CA/PendingCACertificateReport