On 2020/06/02 21:38, Bob Beck wrote: > On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote: > > OK to drop the expired AddTrust cert from cert.pem? > > yes, thanks. > > > > > I checked against the firefox set, there are no new/removed certs that > > work with libressl there. There are now two with GENERALIZEDTIME notAfter > > dates from before 2050 that don't work though (I only remember seeing one > > of those when I last looked).. but that is a separate issue. > > > > /C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root > > CA/emailAddress=p...@sk.ee > > /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification > > Authority/CN=Certum Trusted Network CA 2 > > I suspect these can safely be dropped too.
I haven't included them anyway because they don't work with libressl. btw Mozilla knew about this at least when they added the Certum one, https://bugzilla.mozilla.org/show_bug.cgi?id=999378#c30 "mozilla::pkix does not enforce this rule about when Generalized Time may be used. If we decide to add code to enforce this rule, it will be for certificates created after a certain date (definitely later than 2013)" Not sure what the Certum one is used for, the p...@sk.ee one is kinda important, it's used for https://en.wikipedia.org/wiki/Estonian_identity_card