From Fedora Project Wiki

(add information for 2.14 release and about skipped version numbers 2.12 and 2.13)
 
(13 intermediate revisions by the same user not shown)
Line 9: Line 9:
This page documents changes that Fedora applies on top of the upstream trust lists.
This page documents changes that Fedora applies on top of the upstream trust lists.


== Affected Fedora versions ==


== Reason for Modifications ==
The documentation on this page applies to Fedora 24 and older versions, only.
 
<b>Fedora 25 (and later) uses the unmodified Mozilla CA list</b>, without these legacy modifications, beause the relevant software has been fixed, and the statements in section "Reason for Modifications" no longer apply.
 
== Reason for Modifications in Fedora versions 24 and earlier ==


Starting with version 2.1 of the package, the set of certificates trusted by default differs from the upstream project, for compatibility reasons.
Starting with version 2.1 of the package, the set of certificates trusted by default differs from the upstream project, for compatibility reasons.


Certain CA certificates are kept trusted, in order to ensure compatibility for software that cannot automatically find alternative trust chains, such as OpenSSL and glib-networking. See also these tracking bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1166614 https://bugzilla.gnome.org/show_bug.cgi?id=750457
Certain CA certificates are kept trusted, in order to ensure compatibility for software that cannot automatically find alternative trust chains, such as older versions of OpenSSL and glib-networking. See also these tracking bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1166614 https://bugzilla.gnome.org/show_bug.cgi?id=750457


<b><u>Note that users/administrators can make use of the ca-legacy command, which changes a systemwide configuration. By executing the command "ca-legacy disable" with root permissions, the Fedora specific modifications will be disabled, and the trust as defined by the upstream Mozilla project is used.</u></b>
<b><u>Note that users/administrators can make use of the ca-legacy command, which changes a systemwide configuration. By executing the command "ca-legacy disable" with root permissions, the Fedora specific modifications will be disabled, and the trust as defined by the upstream Mozilla project is used.</u></b>


Please note that a CA has three independent trust flags, for web sites (TLS) trust, for email protection (e.g. S/MIME), and for code signing. Any combination of the trust flags is possible. For example, a CA might have its trust for TLS removed, if the CA claims that all customers have had the chance to be migrated to a different set of root CA certificates, but the same CA certificate might still be trusted for email protection.
Please note that a CA has three independent trust flags, for web sites (TLS) trust, for email protection (e.g. S/MIME), and for code signing. Any combination of the trust flags is possible. For example, a CA might have its trust for TLS removed, if the CA claims that all customers have had the chance to be migrated to a different set of root CA certificates, but the same CA certificate might still be trusted for email protection.
== Changes in Version 2.14 ==
For the changes made by upstream in version 2.14, please refer to the NSS 3.30.2 release notes:
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.2_release_notes
There are no changes to the legacy CA list in Fedora 24 with this update, because the removals made in upstream version 2.12 don't overlap.
== Version numbers 2.12 and 2.13 have been skipped ==
Future updates to the CA certificates will use even version numbers.
Odd version numbers may be used to identify modified versions on maintenance branches.
== Changes in Version 2.11 ==
For the changes made by upstream in version 2.11, please refer to the NSS 3.28.1 release notes:
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.1_release_notes
There are no changes to the legacy CA list in Fedora 24 with this update, because the removals made in upstream version 2.11 don't overlap.
== Changes in Version 2.10 ==
For the changes made by upstream in version 2.10, please refer to the NSS 3.27 release notes:
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27_release_notes
The update to version 2.10 affects five certificates, which had previously been treated as legacy CAs and had previously been kept as trusted in the Fedora package.
In previous versions, Mozilla had only removed a subset of the trust flags from these five certificates, however, in version 2.10 Mozilla removed all remaining trust flags.
They were removed, because these CA certificates are no longer under audit.
More information can be found in the following bugzilla ticket:
* https://bugzilla.mozilla.org/show_bug.cgi?id=1288250
Consequently, these certificates should no longer be included in the Fedora package and have been removed in version 2.10.
Below are the details of the removed legacy CA certificates:
<pre>
# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
# Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
# Not Valid Before: Mon May 18 00:00:00 1998
# Not Valid After : Tue Aug 01 23:59:59 2028
# Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
# Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
# Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
# Not Valid Before: Mon Jan 29 00:00:00 1996
# Not Valid After : Tue Aug 01 23:59:59 2028
# Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
# Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
# Serial Number: 903804111 (0x35def4cf)
# Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
# Not Valid Before: Sat Aug 22 16:41:51 1998
# Not Valid After : Wed Aug 22 16:41:51 2018
# Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
# Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
# Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
# Serial Number: 4 (0x4)
# Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
# Not Valid Before: Mon Jun 21 04:00:00 1999
# Not Valid After : Sun Jun 21 04:00:00 2020
# Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
# Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
# Serial Number: 1 (0x1)
# Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
# Not Valid Before: Mon Jun 21 04:00:00 1999
# Not Valid After : Sun Jun 21 04:00:00 2020
# Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
# Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
</pre>
== Changes in Version 2.9 ==
For the changes made by upstream in version 2.9, please refer to the NSS 3.26 release notes:
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.26_release_notes
This upstream update didn't affect the legacy handling, all upstream changes were used without modifications.
== Changes in Version 2.8 ==
For the changes made by upstream in version 2.8, please refer to the NSS 3.25 release notes:
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.25_release_notes
This upstream update didn't affect the legacy handling, all upstream changes were used without modifications.
== Changes in Version 2.7 ==
For the changes made by upstream in version 2.7, please refer to the NSS 3.23 release notes:
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
The update to version 2.7 affects four certificates, which had previously been treated as legacy CAs and had previously been kept as trusted in the Fedora package.
In previous versions, Mozilla had only removed a subset of the trust flags from these four certificates, however, in version 2.7 Mozilla removed all remaining trust flags.
The removal was based on information provided by the organizations that had issued the certificates, who stated that all of these certificates have been retired, either completely, or retired for public use.
More information can be found in the following bugzilla tickets:
* https://bugzilla.mozilla.org/show_bug.cgi?id=1237817
* https://bugzilla.mozilla.org/show_bug.cgi?id=1229885
Consequently, these certificates no longer need to be included in the Fedora package and have been removed in version 2.7.
Below are the details of the removed legacy CA certificates:
<pre>
# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
# Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
# Not Valid Before: Mon May 18 00:00:00 1998
# Not Valid After : Tue Aug 01 23:59:59 2028
# Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
# Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
# Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
# Not Valid Before: Mon Jan 29 00:00:00 1996
# Not Valid After : Wed Aug 02 23:59:59 2028
# Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
# Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
# Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
# Serial Number: 105 (0x69)
# Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
# Not Valid Before: Thu Feb 25 14:10:22 1999
# Not Valid After : Wed Feb 20 14:10:22 2019
# Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
# Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
# Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
# Serial Number: 104 (0x68)
# Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
# Not Valid Before: Thu Feb 25 14:08:11 1999
# Not Valid After : Wed Feb 20 14:08:11 2019
# Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
# Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
</pre>


== Changes in Version 2.6 ==
== Changes in Version 2.6 ==
Line 40: Line 186:
  </pre>
  </pre>


== No changes in Version 2.5 ==
== No legacy changes in Version 2.5 ==


For the changes made by upstream in version 2.5, please refer to the NSS 3.19.3 release notes:
For the changes made by upstream in version 2.5, please refer to the NSS 3.19.3 release notes:

Latest revision as of 18:49, 26 April 2017

ca-certificates.rpm

This is the home page for the ca-certificates.rpm package included in Fedora. It contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.

For the upstream project, see:

This page documents changes that Fedora applies on top of the upstream trust lists.

Affected Fedora versions

The documentation on this page applies to Fedora 24 and older versions, only.

Fedora 25 (and later) uses the unmodified Mozilla CA list, without these legacy modifications, beause the relevant software has been fixed, and the statements in section "Reason for Modifications" no longer apply.

Reason for Modifications in Fedora versions 24 and earlier

Starting with version 2.1 of the package, the set of certificates trusted by default differs from the upstream project, for compatibility reasons.

Certain CA certificates are kept trusted, in order to ensure compatibility for software that cannot automatically find alternative trust chains, such as older versions of OpenSSL and glib-networking. See also these tracking bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1166614 https://bugzilla.gnome.org/show_bug.cgi?id=750457

Note that users/administrators can make use of the ca-legacy command, which changes a systemwide configuration. By executing the command "ca-legacy disable" with root permissions, the Fedora specific modifications will be disabled, and the trust as defined by the upstream Mozilla project is used.

Please note that a CA has three independent trust flags, for web sites (TLS) trust, for email protection (e.g. S/MIME), and for code signing. Any combination of the trust flags is possible. For example, a CA might have its trust for TLS removed, if the CA claims that all customers have had the chance to be migrated to a different set of root CA certificates, but the same CA certificate might still be trusted for email protection.

Changes in Version 2.14

For the changes made by upstream in version 2.14, please refer to the NSS 3.30.2 release notes:

There are no changes to the legacy CA list in Fedora 24 with this update, because the removals made in upstream version 2.12 don't overlap.

Version numbers 2.12 and 2.13 have been skipped

Future updates to the CA certificates will use even version numbers. Odd version numbers may be used to identify modified versions on maintenance branches.

Changes in Version 2.11

For the changes made by upstream in version 2.11, please refer to the NSS 3.28.1 release notes:

There are no changes to the legacy CA list in Fedora 24 with this update, because the removals made in upstream version 2.11 don't overlap.

Changes in Version 2.10

For the changes made by upstream in version 2.10, please refer to the NSS 3.27 release notes:

The update to version 2.10 affects five certificates, which had previously been treated as legacy CAs and had previously been kept as trusted in the Fedora package.

In previous versions, Mozilla had only removed a subset of the trust flags from these five certificates, however, in version 2.10 Mozilla removed all remaining trust flags.

They were removed, because these CA certificates are no longer under audit. More information can be found in the following bugzilla ticket:

Consequently, these certificates should no longer be included in the Fedora package and have been removed in version 2.10.

Below are the details of the removed legacy CA certificates:

 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
 
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2

 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

 # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 4 (0x4)
 # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
 # Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41

 # Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
 # Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
 

Changes in Version 2.9

For the changes made by upstream in version 2.9, please refer to the NSS 3.26 release notes:

This upstream update didn't affect the legacy handling, all upstream changes were used without modifications.

Changes in Version 2.8

For the changes made by upstream in version 2.8, please refer to the NSS 3.25 release notes:

This upstream update didn't affect the legacy handling, all upstream changes were used without modifications.

Changes in Version 2.7

For the changes made by upstream in version 2.7, please refer to the NSS 3.23 release notes:

The update to version 2.7 affects four certificates, which had previously been treated as legacy CAs and had previously been kept as trusted in the Fedora package.

In previous versions, Mozilla had only removed a subset of the trust flags from these four certificates, however, in version 2.7 Mozilla removed all remaining trust flags.

The removal was based on information provided by the organizations that had issued the certificates, who stated that all of these certificates have been retired, either completely, or retired for public use. More information can be found in the following bugzilla tickets:

Consequently, these certificates no longer need to be included in the Fedora package and have been removed in version 2.7.

Below are the details of the removed legacy CA certificates:

 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
 # Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F

 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Wed Aug 02 23:59:59 2028
 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B

 # Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 105 (0x69)
 # Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:10:22 1999
 # Not Valid After : Wed Feb 20 14:10:22 2019
 # Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
 # Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF

 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:08:11 1999
 # Not Valid After : Wed Feb 20 14:08:11 2019
 # Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
 # Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
 

Changes in Version 2.6

For the changes made by upstream in version 2.6, please refer to the NSS 3.21 release notes:

Below is the list of CAs that had trust removed in the upstream list version 2.6, but which are kept included in the Fedora package.

  • Equifax Secure Certificate Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
 

No legacy changes in Version 2.5

For the changes made by upstream in version 2.5, please refer to the NSS 3.19.3 release notes:

This upstream update didn't affect the legacy handling, all upstream changes were used without modifications.

Changes in Version 2.4

For the changes made by upstream in version 2.4, please refer to the NSS 3.18.1 release notes:

One legacy CA certificate, which had been removed in upstream version 2.3, was added back as trusted in upstream version 2.4.

This means, the following CA certificate is no longer in the legacy state, but has been returned to the normal state.

  • Equifax Secure Certificate Authority
    • latest trust: tls, email, codesigning
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
 

Changes in Version 2.3

For the changes made by upstream in version 2.3, please refer to the NSS 3.18 release notes:

Please pay attention to the fixes mentioned in the sections 2.1 and 2.2 on this page, but which are included in the Fedora version 2.3 of this package.

Below is the list of CAs that had trust removed in the upstream list version 2.3, but which are kept included in the Fedora package.

  • Equifax Secure Certificate Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
 
  • Equifax Secure Global eBusiness CA-1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
 # Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
 

Changes in Version 2.2

For the changes made by upstream in version 2.2, please refer to the NSS 3.17.3 release notes:

Below is the list of CAs that had trust removed in the upstream list version 2.2, but which are kept included in the Fedora package.

  • GTE CyberTrust Global Root
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
 # Serial Number: 421 (0x1a5)
 # Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
 # Not Valid Before: Thu Aug 13 00:29:00 1998
 # Not Valid After : Mon Aug 13 23:59:00 2018
 # Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
 # Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
 
  • Thawte Server CA
    • legacy trust: tls, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
 # Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
 
  • Thawte Premium Server CA
    • legacy trust: tls, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
 # Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
 
  • Verisign Class 3 Public Primary Certification Authority - G2
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
 # Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
 
  • Equifax Secure eBusiness CA 1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 4 (0x4)
 # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
 # Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
 

Previously, this page said to keep two America Online roots included, and versions 2.1 and 2.2 of the Fedora package still included them. However, those roots weren't removed as part of removing 1024-bit roots, rather, they were retired for different reasons. Thefore, these America Online roots are no longer included as part of the 1024-bit legacy roots. They have been completely removed in version 2.3 of the Fedora root CA update.

* America Online Root Certification Authority 1

# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A

* America Online Root Certification Authority 2

# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84

Changes in Version 2.1

For the changes made by upstream in version 2.1, please refer to the NSS 3.16.3 releases and the amendments in the NSS 3.16.4 release notes (which reverts one of the changes):

See also: https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/

Below is the list of CAs that had trust removed in the upstream list version 2.1, but which are kept included in the Fedora package. (See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1144808 )

  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
 
  • Verisign Class 2 Public Primary Certification Authority - G2
    • legacy trust: email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
 
  • ValiCert Class 1 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Fri Jun 25 22:23:48 1999
 # Not Valid After : Tue Jun 25 22:23:48 2019
 # Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
 # Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
 
  • ValiCert Class 2 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:19:54 1999
 # Not Valid After : Wed Jun 26 00:19:54 2019
 # Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
 # Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
 
  • RSA Root Certificate 1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:22:33 1999
 # Not Valid After : Wed Jun 26 00:22:33 2019
 # Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
 # Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
 
  • Entrust.net Secure Server CA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Serial Number: 927650371 (0x374ad243)
 # Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Not Valid Before: Tue May 25 16:09:40 1999
 # Not Valid After : Sat May 25 16:39:40 2019
 # Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
 # Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
 
  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Wed Aug 02 23:59:59 2028
 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
 

The following two 1024-bit NetLock roots, which had some of their trust removed by Mozilla in version 2.1, were missed when preparing the fedora packages for versions 2.1 and 2.2. They have been included with legacy status from version 2.3 of the fedora package.

  • NetLock Uzleti (Class B) Tanusitvanykiado
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 105 (0x69)
 # Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:10:22 1999
 # Not Valid After : Wed Feb 20 14:10:22 2019
 # Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
 # Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
 
  • NetLock Expressz (Class C) Tanusitvanykiado
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:08:11 1999
 # Not Valid After : Wed Feb 20 14:08:11 2019
 # Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
 # Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B