Firefox will control much more strict the way you have set up your ssl certificate

"Many of the certificate verification changes in the new library are subtle and are related to technical requirements specified in the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" issued by the Certification Authority/Browser (CAB) Forum. However, some of the behavior modifications also stem from changes Mozilla made to its own policy for trusting CA certificates.


For example, a document describing mozilla::pkix requirements notes that "end certificates used by servers are not allowed to have basic constraints asserting isCA=TRUE" and "certificates used as trust anchors or intermediates are now required to have the basic constraints extension and assert the isCA bit."


These two requirements are intended to prevent the misuse of subordinate CA (sub-CA) or intermediate certificates, which can be used to issue SSL certificates for any domain on the Internet.

The first result will be that the users will have to add many certificates to their exceptions because most of the certificates today don't respect a very strict set of rules - if any

You have untill the end of july to adapt your certficates so that they are compatible with the minimum requirements from Firefox which counts for at least 30% of all the browsers

The comments are closed.