DHS is only using Mozilla’s trust store for determining trust.  They are not 
using a government-based trust store.


We talked to Entrust last week.  Entrust was creating certificates with 
“” as the old way.  Recently, Entrust has been generating 
certificates with “” as their current and preferred method.


We want to get the domain added to Mozilla’s trust store, so DHS 
scans don’t come back with false positives.  What is the process of getting added to Mozilla’s trust base??




Jim Bowen (Contractor)
Trusted Internet Connection (TIC) Gateway Operations Lead
Veterans Affairs Network Security Operations Center (VA NSOC) 
221 Butler Street | Building 511 | Martinsburg, WV  25405
304-262-7745 (Office) | 571-439-4434 (Mobile)


Confidentiality Note: This e-mail is intended only for the person or entity to 
which it is addressed and may contain information that is privileged, 
confidential, or otherwise protected from disclosure. Dissemination, 
distribution, or copying of this e-mail or the information herein by anyone 
other than the intended recipient is prohibited. If you have received this 
e-mail in error, please notify the sender by reply e-mail, and destroy the 
original message and all copies.





From: Peter Bowen <> 
Sent: Saturday, November 23, 2019 7:24 PM
To: O'Donnell, Derek <Derek.O'>
Cc:; Bowen, James E. <>
Subject: [EXTERNAL] Re: INC8119596 Other | Entrust Certs and DHS


On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy 
<> > wrote:

We have a customer at the VA who uses an Entrust root:
Issuer   Entrust


They are repeatedly flagged by DHS for not using a trusted certificate and
using a self-signed certificate.  DHS uses Mozilla Trust Store.

Taking a look at the following file: 
iltins/certdata.txt, we can see that everything pertaining to Entrust end in

The Entrust CA our customer uses ends in .COM.  Both extensions are the same
thing.  How can we have the .COM certificate added Globally to Mozilla's
Trust Store?  This will resolve the issues being reported by DHS for us.
Any help on this would be greatly appreciated.


Hi Derek,


Entrust Datacard runs a number of different CAs.  The various CAs are intended 
for various purposes.


The CA you are using is intended for government-only applications.  The CAs 
that are included in the Mozilla Trust Store are intended for citizen or 
business-facing applications.  It sounds like DHS is recommending that you use 
a certificate that is designed for citizen or business-facing applications.  I 
would talk to Entrust Datacard or another CA in the Mozilla Trust Store to see 
about getting a new certificate.




Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to