The whole SSL certificate verification process depends upon finding a
trusted root certificate that signed the next certificate up the chain,
and so on.  But who chooses those trusted roots?  

The answer is the author of the application that accepts an SSL
certificate, or maybe the operating system the application is running
on, or the SSL library used to build the application. 

The bad news is that root certificates come and go, old roots stop
being accepted for various reasons, and new roots are introduced for
new security standards or new businesses.  

Historically most roots were RSA Sha1 digest signed and most still are,
despite Sha1 being banned for new certificates.  Increasingly Sha256
and ECC root certificates are being introduced and required by new
intermediate certificates.

So SSL trusted root certificate bundles and always changing, annually
perhaps for major changes, although Microsoft officially Windows roots
every two months.  

So there is a maintenance issue with root bundles, choosing what to
include and keeping them updated. Another developer got frustrated with
updating roots, and created a Git repository:

which contains a few hundred root certificates and lists of which trust
store contain which roots, currently listing Apple iOS and macOS (173),
Google (135), Microsoft Windows (294) and Mozilla (133). 

For the last few years, I have been manually updating three trust
stores for ICS:

1 - TrustedCABundle.pem is a small root certificate bundle, currently
52 roots, included in the Samples/Delphi/SslInternet/ directory.
Applications needing to check root certificates can copy this file. 

2 - A smaller list of 34 hard coded roots in
OverbyteIcsSslX509Utils.pas that allows major roots to be checked
without needing to include an extra external file in applications. 

3 - RootCaCertsBundle.pem which I distribute with my own applications,
and is a much larger root certificate bundle, about 280 roots including
many country specific roots, created using the PemTool by extracting
Windows root certificates.   I've added this to the ICS V8.53 for those
that need more roots. 

I'm now looking at a better way of maintaining the ICS root stores,
probably by using Trust Stores Observatory data, although it's
difficult to choose which root store to use, all contain more than our
smallest store.  

There have been changes to all three of these root store this year,
adding new root certificates.  ICS V8.52 added DigiCert Global Root G2
and G3 root certificates. DigiCert now owns Symantec, Thawte, RapidSSL,
Geotrust and existing certificates are being re-issued signed by
DigiCert roots, so older root stores will stop trusted them.  ICS V8.53
last week added GlobalSign Root CA - R2 and GlobalSign ECC Root CA - R5
root certificates, the R2 root is old but was missing from our smaller
stores and is now used by Google. 

So updating your root stores is important, if you don't want your
applications to stop trusting lots of common web sites. 



To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to