Common CA Knowledge Database (CCADB): Submit Audit Information
This page is part of the Common CA Knowledge Database (CCADB): Knowledge base .
Overview
All root store members require CAs to undergo and submit audit statements annually in accordance with industry standards. Audits must be completed by a competent independent auditors as outlined in the CA/Browser Forum Baseline Requirements as well as each root store operator's policies. Records, called “Cases”, in the Common CA Database (CCADB) are organized in hierarchies, similar in concept to CA hierarchies. Each CA Owner has child nodes that are the Root Certificate records. Root Certificate records may have additional child records that are Intermediate Certificate records and Intermediate Certificate records may have child nodes that are additional Intermediate Certificate records. As a CA you will create an Audit Case in the CCADB to upload the appropriate audit information.
Preparing to Submit Annual Audit
Please have the following information prepared before you begin entering your annual update into the CCADB.
- Audit statement links. Please be aware that links change each year Please ensure the following requirements are met in the audit statement:
- The file size of the PDF file the link points is < 25MB
- Audit statements are in English.
- The audit statement contains the information outlined here.
- Links to updated CP/CPS documents. CP/CPS documents must be updated each year and must be in English.
Please ensrue that both Audit statement links and CP/CPS links must be a publicly accessible URL. If you do not have those, please follow the instructions in the Q&A on how to upload the documents.
Submitting Audit Information
- Login to the CCADB.
- Select "CA Owners/Certificates" and select your CA Owner.
- Create an Audit Case by clicking on the "Cases" tab -> click on the "New Case " button found in the middle of the web page.
- Enter Auditor and Audit Information to applicable Root Cert Records.
- Enter CP/CPS Information.
- Click "Submit"
- In the Audit Case page, scroll down to the 'Root Cases' section. Click on the 'Add Root Cert For This Audit Info' button to start a new Root Case.
- In the Root Case page, click on the search icon next to the 'Included Certificate' field.
- Type in the first character(s) of the root certificate name for a root certificate in the provided audit statements, followed by "*", then click on the 'Go!' button. You will only be able to find root certificate records that chain up to your CA Owner record.
- In the 'Select all that apply to the included Root' section, click on the appropriate boxes to show which audit statements cover the selected root certificate.
- Click on the 'Save' button.
- Enter the URLs to the test websites (valid, expired, revoked). If the root certificate can validate TLS/SSL certificates, then you need to also provide the URLs to the test websites. If the root certificate is enabled for EV treatment, then the TLS/SSL certs for the test websites must also be EV.
- valid = unexpired and unrevoked.
- expired = notAfter less than the current day, and unrevoked
- revoked = unexpired, but present in either/both of the CRL and OCSP responder
- If EV enabled, select the checkbox "Microsoft EV Enabled"
- Click on the 'Save' button
- You may click on the 'Edit' and 'Save' buttons as many times as you need to get the necessary information filled in.
- Click on the 'Case No' to go back to the main Audit Case page.
- Click on the 'Add Root Cert For This Audit Info' button and repeat the above steps to add as many Root Cases as needed, corresponding to the root certificates that are covered in the audit statements.
Helpful Hints
- Before starting this process, it may be helpful to open another window showing your CA's Account Hierarchy, so you can easily see which root certificates need to be accounted for (i.e. in the audit statements). Navigate to your CA Owner record or any of your root or intermediate cert records, go to the 'Account Hierarchy' section, and right-click on any of the record names and 'Open Link in New Window'.
- In the Root Case page, when you click on the search icon next to the 'Included Certificate' field, the default list will be the records that you recently viewed.
- A revoked certificate can expire, at which point, it becomes an expired certificate. Including expired certs in CRLs is not a direct violation of RFC 5280 section 5 (since it doesn't say you cannot also list expired certificates), but the premise of RFC 5280 CRLs was that you SHOULD NOT do this.
What Happens Next?
The appropriate root store operators will review the audit information you provided to ensure that it meets industry standards and contractual obligations. Details of the validation process can be found here.