From Fedora Project Wiki

(clarify status of two AOL roots)
Line 92: Line 92:
 
  </pre>
 
  </pre>
  
* America Online Root Certification Authority 1
+
Previously, this page said to keep two America Online roots included, and versions 2.1 and 2.2 of the Fedora package still included them. However, those roots weren't removed as part of removing 1024-bit roots, rather, they were retired for different reasons. Thefore, these America Online roots are no longer included as part of the 1024-bit legacy roots. They have been completely removed in version 2.3 of the Fedora root CA update.
** legacy trust: tls, email, codesigning
 
** latest trust (if legacy disabled): none
 
<pre>
 
# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
 
# Serial Number: 1 (0x1)
 
# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
 
# Not Valid Before: Tue May 28 06:00:00 2002
 
# Not Valid After : Thu Nov 19 20:43:00 2037
 
# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
 
# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
 
</pre>
 
  
* America Online Root Certification Authority 2
+
<strike>* America Online Root Certification Authority 1</strike>
** legacy trust: tls, email, codesigning
+
<strike><pre># Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A</pre></strike>
** latest trust (if legacy disabled): none
 
<pre>
 
# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
 
# Serial Number: 1 (0x1)
 
# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
 
# Not Valid Before: Tue May 28 06:00:00 2002
 
# Not Valid After : Tue Sep 29 14:08:00 2037
 
# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
 
# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
 
</pre>
 
  
 +
<strike>* America Online Root Certification Authority 2</strike>
 +
<strike><pre># Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84</pre></strike>
  
 
== Changes in Version 2.1 ==
 
== Changes in Version 2.1 ==

Revision as of 11:33, 24 March 2015

ca-certificates.rpm

This is the home page for the ca-certificates.rpm package included in Fedora. It contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.

For the upstream project, see:

This page documents changes that Fedora applies on top of the upstream trust lists.


Reason for Modifications

Starting with version 2.1 of the package, the set of certificates trusted by default differs from the upstream project, for compatibility reasons.

Certain CA certificates are kept trusted, in order to ensure compatibility for software that cannot automatically find alternative trust chains, such as OpenSSL. See also this tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1166614

Note that users/administrators can make use of the ca-legacy command, which changes a systemwide configuration. By executing the command "ca-legacy disable" with root permissions, the Fedora specific modifications will be disabled, and the trust as defined by the upstream Mozilla project is used.

Please note that a CA has three independent trust flags, for web sites (TLS) trust, for email protection (e.g. S/MIME), and for code signing. Any combination of the trust flags is possible. For example, a CA might have its trust for TLS removed, if the CA claims that all customers have had the chance to be migrated to a different set of root CA certificates, but the same CA certificate might still be trusted for email protection.

Changes in Version 2.2

For the changes made by upstream in version 2.2, please refer to the NSS 3.17.3 releases:

Below is the list of CAs that had trust removed in the upstream list version 2.2, but which are kept included in the Fedora package.

  • GTE CyberTrust Global Root
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
 # Serial Number: 421 (0x1a5)
 # Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
 # Not Valid Before: Thu Aug 13 00:29:00 1998
 # Not Valid After : Mon Aug 13 23:59:00 2018
 # Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
 # Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
 
  • Thawte Server CA
    • legacy trust: tls, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
 # Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
 
  • Thawte Premium Server CA
    • legacy trust: tls, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
 # Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
 
  • Verisign Class 3 Public Primary Certification Authority - G2
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
 # Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
 
  • Equifax Secure eBusiness CA 1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 4 (0x4)
 # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
 # Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
 

Previously, this page said to keep two America Online roots included, and versions 2.1 and 2.2 of the Fedora package still included them. However, those roots weren't removed as part of removing 1024-bit roots, rather, they were retired for different reasons. Thefore, these America Online roots are no longer included as part of the 1024-bit legacy roots. They have been completely removed in version 2.3 of the Fedora root CA update.

* America Online Root Certification Authority 1

# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A

* America Online Root Certification Authority 2

# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84

Changes in Version 2.1

For the changes made by upstream in version 2.1, please refer to the NSS 3.16.3 releases and the amendments in the NSS 3.16.4 release notes (which reverts one of the changes):

See also: https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/

Below is the list of CAs that had trust removed in the upstream list version 2.1, but which are kept included in the Fedora package. (See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1144808 )

  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
 
  • Verisign Class 2 Public Primary Certification Authority - G2
    • legacy trust: email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
 
  • ValiCert Class 1 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Fri Jun 25 22:23:48 1999
 # Not Valid After : Tue Jun 25 22:23:48 2019
 # Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
 # Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
 
  • ValiCert Class 2 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:19:54 1999
 # Not Valid After : Wed Jun 26 00:19:54 2019
 # Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
 # Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
 
  • RSA Root Certificate 1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:22:33 1999
 # Not Valid After : Wed Jun 26 00:22:33 2019
 # Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
 # Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
 
  • Entrust.net Secure Server CA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Serial Number: 927650371 (0x374ad243)
 # Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Not Valid Before: Tue May 25 16:09:40 1999
 # Not Valid After : Sat May 25 16:39:40 2019
 # Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
 # Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
 
  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Wed Aug 02 23:59:59 2028
 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B