Opera

Getting Your Root Certificate Included in Opera

Opera Software takes an active part in the work to standardize the processes which safeguard the integrity and credibility of security certificates.

Specification for X.509 root certificates to be included in the Opera browser

This specification is based on the CA/Browser Forum guidelines for extended validation certificates and current best practices. The purpose of certificates included in the Opera browser should be:

• SSL/TLS site certificates
• SSL/TLS client certificates
• Object signing (Java)

In order to be included in the Opera browser, a root certificate must fulfill the following:

Requirements

1. The Certification Authority must document a satisfactory audit by a recognized practicioner.
2. The root certificates must comply with the RFC 3280 specification.
3. The certificates issued by the CA must support the CRL extension, and must point to a location which is publicly accessible.
4. We recommend support of OCSP for end certificates.
5. Intermediate certificates should specify AIA issuer url FDQN names.
6. The root certificates must have an expiration date more than 3 years in the future.
7. All new certificates from the CA should use a minimum 2048 bit keylength.
8. Certificates signed by the root certificates must have a significant presence on the public Internet.
9. Opera Software must be provided with test certificates as specified below.
10. All documents in other languages then English or Norwegian must be accompanied by a legal translation

Acceptable audit practicioners

In North America, the US and Canadian organizations for certified public accountants stand behind the WebTrust program for Certification Authorities.

Opera Software will accept a WebTrust for Certification Authorities audit. The minimum requirement for an audit we will accept is specified by WebTrust, or equivalent programs in other regions, for example the European program. Applicants must prove that other audits they might want to substitute meet the WebTrust standard, and must document the identity and credentials of the auditor.

Application procedure

An entity that wishes to have root certificates included in the Opera browser should send the following by mail to the address below and fill in the submission form.

1. The officially registered name of the entity, the physical location (street address), the postal address and the type of entity.
2. • Companies should specify the company type and where the company is formally registered.
   • Government agencies and other state organs should specify their legal status and the chain of responsibility.
   • Other entities should explain their legal status and official registration details.
3. Please include the full name, e-mail address and telephone number of the primary contact in the applicant organization, and of an alternate contact at the same or higher level of authority.
4. Documentation to establish credentials as a bona fide Certification Authority. See requirements below for how to document this.
5. Answers to the following questions for each root certificate requested to be included:
   • Who are the target users for certificates signed by this root certificate?
   • If it is not the first certificate you want to include, why is an additional certificate necessary?
   • How will you verify the identity of those requesting certificates signed by this root?
   • What is the URL to the Certificate practice Statement for this root?
   • Which third-party audits has your CA practice undergone?
   • What is the public HTTPS URL where certificates you have issued can be tested and verified?
   • Has the client certificate issuing systems been tested with the Opera browser on all relevant platforms?
   • What is the rollover policy when roots expire?
6. In the case of a purchased root, the history must be documented.

Root certificate delivery and verification

Sequence of Events

After you have met all the criteria for having your root certificates included in the Opera Browser, and received a reply stating that the criteria are met from Opera Software ASA, please send us the following to our postal address provided below:

1. A letter on your official letterhead signed by one or more persons who together have the legally binding signature of your organization.
   • The letter must indicate that you accept the responsibility for certificates issued under the roots to be included in the Opera Browser, and that you will notify Opera Software immediately if one or more certificates need to be invalidated or recalled.
   • The letter must state the certificate subject name, validity dates and SHA-1 fingerprint for each certificate.
2. The audit report

Postal address:

Opera Software ASA
att: QA processes / CA documentation
Postboks 2648 Sankthanshaugen
NO-0131 Oslo
Norway

Please note:

• Opera Software ASA will require proof of the authenticity of the signatures from another source, such as a public notary or government agency. It must be possible for us to verify the validity of this source.
• We will want to verify the SHA-1 fingerprint over some alternate communications channel, for example by making a telephone call to the contact person.

Test Certificates

• The testing certificates required by Opera should be submitted using your normal procedure for issuing certificates signed by your roots.
• The certificates should be made to Opera Software Quality Assurance.
• We require one certificate for the domain ca.opera.no where ca is your domain, and a signing certificate for our internal domain lab.osa.

General Information

The cost of getting a certificate included

Previously, Opera Software did the work included in the CA audit and charged a fixed sum for the work. With standard audits, the burden for Opera is much smaller and we have decided not to charge for our work. The cost of the audit and other necessary documentation will vary. Please check with your auditors to get a quote.

Audit requirements

The burden is on the CA to prove WebTrust equivalency. Your auditor should state whether the audit meets the WebTrust criteria in the audit report. You must provide proof that the auditor is qualified and properly registered. Any documents in other languages than English or Norwegian will have to be translated, and the translation has to be certified as legally accurate.

Audit renewals

The auditor should state the validity in the report, but it will under no circumstances be valid for more than 12 months. If the audit is not renewed in time, your root certificates will no longer be acceptable for inclusion in Opera and may be removed on short notice.

How long is the delay before the certificate is included?

This will vary a lot depending on how soon the different authorities can verify the documents we receive. Typically, the scrutiny by the auditor will take most of the time. With a valid audit, verification time will depend on how long it takes to verify the auditor and that the audit is valid according to WebTrust criteria.

Opera accepts root certificates all year, and there are no deadlines for the desktop browser. After your root certificate has been accepted and included, it will be available almost immediately in versions which use the Opera implementation of the SSL/TLS protocol.

Please note that this does not apply to many versions of Opera running on non-PC devices. For such versions, certificates may be controlled by the hardware manufacturer, or they may be embedded without any provision for upgrades.

When a CA or parts of their assets have been taken over

If you have purchased the roots of another CA, it is important to document the transactions in detail. As a general rule, intermediates should not be embedded. In the case that the assets of one CA have been split between several purchasers, it will be possible to make exceptions if the documentation is sufficient.