CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/05/14 05:00:10
Modified files:
lib/libcrypto : cert.pem
Log message:
Sync cert.pem with mozilla roots; quite a few CA certificates were
either removed or distrusted for web so are removed here. ok tb@
Common policies (moz, google, ca/b) are now to distrust roots with key
material created before a certain time (currently 2008, this rolls
forwards by 2 years each April until 2029 when it moves to '15 years
from creation'), and also roots used for TLS are not permitted to be
shared with other purposes (Secure Email, Code Signing, or others).
This removes all root certificates from the following CA operators:
-AffirmTrust
- /C=US/O=AffirmTrust/CN=AffirmTrust Commercial
- /C=US/O=AffirmTrust/CN=AffirmTrust Networking
- /C=US/O=AffirmTrust/CN=AffirmTrust Premium
- /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
-Firmaprofesional SA
- /C=ES/O=Firmaprofesional SA/2.5.4.97=VATES-A62634068/CN=FIRMAPROFESIONAL CA
ROOT-A WEB
-SecureTrust Corporation
- /C=US/O=SecureTrust Corporation/CN=Secure Global CA
- /C=US/O=SecureTrust Corporation/CN=SecureTrust CA
-TeliaSonera
- /O=TeliaSonera/CN=TeliaSonera Root CA v1
-Trustwave Holdings, Inc.
- /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global
Certification Authority
- /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global
ECC P256 Certification Authority
- /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global
ECC P384 Certification Authority
-certSIGN
- /C=RO/O=certSIGN/OU=certSIGN ROOT CA
-e-commerce monitoring GmbH
- /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020
...and some but not all root certificates from these (the ones without -
are still remaining):
COMODO CA Limited
- /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC
Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
Dhimyotis
- /C=FR/O=Dhimyotis/CN=Certigna
/C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA
DigiCert Inc
- /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3
- /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3
- /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root
CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
Entrust, Inc.
- /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009
Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority
- G2
- /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012
Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority
- EC1
/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by
reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
Google Trust Services LLC
/C=US/O=Google Trust Services LLC/CN=GTS Root R1
- /C=US/O=Google Trust Services LLC/CN=GTS Root R2
/C=US/O=Google Trust Services LLC/CN=GTS Root R3
/C=US/O=Google Trust Services LLC/CN=GTS Root R4
QuoVadis Limited
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3
- /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
- /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3
SwissSign AG
- /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
/C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1
This is based on changes hitting the Mozilla release branch
https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt
but the individual commits are easier to see here:
https://hg-edge.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
