From Fedora Project Wiki

Revision as of 22:31, 10 July 2015 by Catanzaro (talk | contribs) (Mention glib-networking alongside openssl as packages with compatibility issues)

ca-certificates.rpm

This is the home page for the ca-certificates.rpm package included in Fedora. It contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.

For the upstream project, see:

This page documents changes that Fedora applies on top of the upstream trust lists.


Reason for Modifications

Starting with version 2.1 of the package, the set of certificates trusted by default differs from the upstream project, for compatibility reasons.

Certain CA certificates are kept trusted, in order to ensure compatibility for software that cannot automatically find alternative trust chains, such as OpenSSL and glib-networking. See also these tracking bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1166614 https://bugzilla.gnome.org/show_bug.cgi?id=750457

Note that users/administrators can make use of the ca-legacy command, which changes a systemwide configuration. By executing the command "ca-legacy disable" with root permissions, the Fedora specific modifications will be disabled, and the trust as defined by the upstream Mozilla project is used.

Please note that a CA has three independent trust flags, for web sites (TLS) trust, for email protection (e.g. S/MIME), and for code signing. Any combination of the trust flags is possible. For example, a CA might have its trust for TLS removed, if the CA claims that all customers have had the chance to be migrated to a different set of root CA certificates, but the same CA certificate might still be trusted for email protection.

Changes in Version 2.4

For the changes made by upstream in version 2.4, please refer to the NSS 3.18.1 release notes:

One legacy CA certificate, which had been removed in upstream version 2.3, was added back as trusted in upstream version 2.4.

This means, the following CA certificate is no longer in the legacy state, but has been returned to the normal state.

  • Equifax Secure Certificate Authority
    • latest trust: tls, email, codesigning
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
 

Changes in Version 2.3

For the changes made by upstream in version 2.3, please refer to the NSS 3.18 release notes:

Please pay attention to the fixes mentioned in the sections 2.1 and 2.2 on this page, but which are included in the Fedora version 2.3 of this package.

Below is the list of CAs that had trust removed in the upstream list version 2.3, but which are kept included in the Fedora package.

  • Equifax Secure Certificate Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
 
  • Equifax Secure Global eBusiness CA-1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
 # Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
 

Changes in Version 2.2

For the changes made by upstream in version 2.2, please refer to the NSS 3.17.3 release notes:

Below is the list of CAs that had trust removed in the upstream list version 2.2, but which are kept included in the Fedora package.

  • GTE CyberTrust Global Root
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
 # Serial Number: 421 (0x1a5)
 # Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
 # Not Valid Before: Thu Aug 13 00:29:00 1998
 # Not Valid After : Mon Aug 13 23:59:00 2018
 # Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
 # Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
 
  • Thawte Server CA
    • legacy trust: tls, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
 # Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
 
  • Thawte Premium Server CA
    • legacy trust: tls, codesigning
    • latest trust (if legacy disabled): none
 # Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
 # Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
 
  • Verisign Class 3 Public Primary Certification Authority - G2
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
 # Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
 
  • Equifax Secure eBusiness CA 1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 4 (0x4)
 # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
 # Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
 

Previously, this page said to keep two America Online roots included, and versions 2.1 and 2.2 of the Fedora package still included them. However, those roots weren't removed as part of removing 1024-bit roots, rather, they were retired for different reasons. Thefore, these America Online roots are no longer included as part of the 1024-bit legacy roots. They have been completely removed in version 2.3 of the Fedora root CA update.

* America Online Root Certification Authority 1

# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A

* America Online Root Certification Authority 2

# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84

Changes in Version 2.1

For the changes made by upstream in version 2.1, please refer to the NSS 3.16.3 releases and the amendments in the NSS 3.16.4 release notes (which reverts one of the changes):

See also: https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/

Below is the list of CAs that had trust removed in the upstream list version 2.1, but which are kept included in the Fedora package. (See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1144808 )

  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
 
  • Verisign Class 2 Public Primary Certification Authority - G2
    • legacy trust: email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
 
  • ValiCert Class 1 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Fri Jun 25 22:23:48 1999
 # Not Valid After : Tue Jun 25 22:23:48 2019
 # Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
 # Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
 
  • ValiCert Class 2 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:19:54 1999
 # Not Valid After : Wed Jun 26 00:19:54 2019
 # Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
 # Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
 
  • RSA Root Certificate 1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:22:33 1999
 # Not Valid After : Wed Jun 26 00:22:33 2019
 # Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
 # Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
 
  • Entrust.net Secure Server CA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Serial Number: 927650371 (0x374ad243)
 # Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Not Valid Before: Tue May 25 16:09:40 1999
 # Not Valid After : Sat May 25 16:39:40 2019
 # Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
 # Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
 
  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Wed Aug 02 23:59:59 2028
 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
 

The following two 1024-bit NetLock roots, which had some of their trust removed by Mozilla in version 2.1, were missed when preparing the fedora packages for versions 2.1 and 2.2. They have been included with legacy status from version 2.3 of the fedora package.

  • NetLock Uzleti (Class B) Tanusitvanykiado
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 105 (0x69)
 # Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:10:22 1999
 # Not Valid After : Wed Feb 20 14:10:22 2019
 # Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
 # Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
 
  • NetLock Expressz (Class C) Tanusitvanykiado
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:08:11 1999
 # Not Valid After : Wed Feb 20 14:08:11 2019
 # Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
 # Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B