#
1.28 |
|
27-Nov-2023 |
tb |
Regen cert.pem
ok sthen
New Roots for existing CA: /CN=Atos TrustedRoot Root CA ECC TLS 2021/O=Atos/C=DE /CN=Atos TrustedRoot Root CA RSA TLS 2021/O=Atos/C=DE
New CA: BEIJING CERTIFICATE AUTHORITY /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA1 /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA2
Two E-Tugra roots were removed due to a breach: /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3 /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
Removed expired root: /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1
Removed expired CA: SECOM Trust.net /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
New CA: Sectigo Limited /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root E46 /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root R46
New roots for existing CA: /C=US/O=SSL Corporation/CN=SSL.com TLS ECC Root CA 2022 /C=US/O=SSL Corporation/CN=SSL.com TLS RSA Root CA 2022
|
#
1.27 |
|
27-Nov-2023 |
tb |
Remove some trailing whitespace
x509_prn.c r1.6 changed the output of 'openssl -in foo.pem -noout -text' by removing trailing whitespace from non-critical certificate extensions. Committing the difference now to reduces noise in an upcoming diff.
There's some trailing whitespace remaining. That's because we try to print a BMPString in an User Notice's Explicit Text with "%*s". That doesn't work so well with an encoding full of NULs...
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.26 |
|
06-May-2023 |
tb |
Regen cert.pem
This drops a few certs per the CA's request and TrustCor because of drama. Certainly, a new CA, is added as well as new certs for DigiCert, SECOM and E-Tugra. Unizeto still haven't fixed one of their certs and we still don't want the alternative Firmaprofesional with sha1WithRSAEncryption.
ok sthen
|
Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.25 |
|
11-Jul-2022 |
sthen |
Sync cert.pem with certdata.txt from the NSS release branch. OK tb@ bcook@
remove (expired): /O=Cybertrust, Inc/CN=Cybertrust Global Root /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
remove: /C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
add new root (existing CAs): /C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1 /C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020 /C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021 /C=US/O=Internet Security Research Group/CN=ISRG Root X2 /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
add (new CAs): /C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA /serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA /C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2
replace with another cert with same CN (SHA1 vs SHA256): /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
|
Revision tags: OPENBSD_7_0_BASE OPENBSD_7_1_BASE
|
#
1.24 |
|
30-Sep-2021 |
deraadt |
delete expired DST Root CA X3 to work around bugs various libraries ok sthen, beck, jsing, tb, etc etc
|
#
1.23 |
|
11-Jun-2021 |
sthen |
sync cert.pem with Mozilla's CA list generated from certdata.txt (certificates with the "server auth" trust purpose permitted). ok tb@
-AC Camerfirma S.A. - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008 -
FNMT-RCM /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM + /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
-GeoTrust Inc. - /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2 -
GlobalSign nv-sa + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46 + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Staat der Nederlanden /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA - /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
Unizeto Technologies S.A. /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2 - -VeriSign, Inc. - /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
(Note, "Staat der Nederlanden Root CA - G3" was changed to email trust only, so is removed from this due to it only listing "server auth" purposes).
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.22 |
|
12-Feb-2021 |
sthen |
branches: 1.22.2; Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert).
So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;)
Additions:
/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority
Removals:
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.21 |
|
01-Jun-2020 |
sthen |
branches: 1.21.4; Remove expired certificate, ok tb@ /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.26 |
|
06-May-2023 |
tb |
Regen cert.pem
This drops a few certs per the CA's request and TrustCor because of drama. Certainly, a new CA, is added as well as new certs for DigiCert, SECOM and E-Tugra. Unizeto still haven't fixed one of their certs and we still don't want the alternative Firmaprofesional with sha1WithRSAEncryption.
ok sthen
|
Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.25 |
|
11-Jul-2022 |
sthen |
Sync cert.pem with certdata.txt from the NSS release branch. OK tb@ bcook@
remove (expired): /O=Cybertrust, Inc/CN=Cybertrust Global Root /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
remove: /C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
add new root (existing CAs): /C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1 /C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020 /C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021 /C=US/O=Internet Security Research Group/CN=ISRG Root X2 /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
add (new CAs): /C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA /serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA /C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2
replace with another cert with same CN (SHA1 vs SHA256): /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
|
Revision tags: OPENBSD_7_0_BASE OPENBSD_7_1_BASE
|
#
1.24 |
|
30-Sep-2021 |
deraadt |
delete expired DST Root CA X3 to work around bugs various libraries ok sthen, beck, jsing, tb, etc etc
|
#
1.23 |
|
11-Jun-2021 |
sthen |
sync cert.pem with Mozilla's CA list generated from certdata.txt (certificates with the "server auth" trust purpose permitted). ok tb@
-AC Camerfirma S.A. - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008 -
FNMT-RCM /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM + /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
-GeoTrust Inc. - /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2 -
GlobalSign nv-sa + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46 + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Staat der Nederlanden /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA - /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
Unizeto Technologies S.A. /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2 - -VeriSign, Inc. - /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
(Note, "Staat der Nederlanden Root CA - G3" was changed to email trust only, so is removed from this due to it only listing "server auth" purposes).
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.22 |
|
12-Feb-2021 |
sthen |
branches: 1.22.2; Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert).
So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;)
Additions:
/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority
Removals:
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.21 |
|
01-Jun-2020 |
sthen |
branches: 1.21.4; Remove expired certificate, ok tb@ /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.25 |
|
11-Jul-2022 |
sthen |
Sync cert.pem with certdata.txt from the NSS release branch. OK tb@ bcook@
remove (expired): /O=Cybertrust, Inc/CN=Cybertrust Global Root /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
remove: /C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
add new root (existing CAs): /C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1 /C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020 /C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021 /C=US/O=Internet Security Research Group/CN=ISRG Root X2 /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
add (new CAs): /C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA /serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA /C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2
replace with another cert with same CN (SHA1 vs SHA256): /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
|
Revision tags: OPENBSD_7_0_BASE OPENBSD_7_1_BASE
|
#
1.24 |
|
30-Sep-2021 |
deraadt |
delete expired DST Root CA X3 to work around bugs various libraries ok sthen, beck, jsing, tb, etc etc
|
#
1.23 |
|
11-Jun-2021 |
sthen |
sync cert.pem with Mozilla's CA list generated from certdata.txt (certificates with the "server auth" trust purpose permitted). ok tb@
-AC Camerfirma S.A. - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008 -
FNMT-RCM /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM + /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
-GeoTrust Inc. - /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2 -
GlobalSign nv-sa + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46 + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Staat der Nederlanden /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA - /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
Unizeto Technologies S.A. /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2 - -VeriSign, Inc. - /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
(Note, "Staat der Nederlanden Root CA - G3" was changed to email trust only, so is removed from this due to it only listing "server auth" purposes).
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.22 |
|
12-Feb-2021 |
sthen |
branches: 1.22.2; Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert).
So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;)
Additions:
/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority
Removals:
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.21 |
|
01-Jun-2020 |
sthen |
branches: 1.21.4; Remove expired certificate, ok tb@ /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.24 |
|
30-Sep-2021 |
deraadt |
delete expired DST Root CA X3 to work around bugs various libraries ok sthen, beck, jsing, tb, etc etc
|
#
1.23 |
|
11-Jun-2021 |
sthen |
sync cert.pem with Mozilla's CA list generated from certdata.txt (certificates with the "server auth" trust purpose permitted). ok tb@
-AC Camerfirma S.A. - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008 -
FNMT-RCM /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM + /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
-GeoTrust Inc. - /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2 -
GlobalSign nv-sa + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46 + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Staat der Nederlanden /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA - /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
Unizeto Technologies S.A. /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2 - -VeriSign, Inc. - /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
(Note, "Staat der Nederlanden Root CA - G3" was changed to email trust only, so is removed from this due to it only listing "server auth" purposes).
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.22 |
|
12-Feb-2021 |
sthen |
branches: 1.22.2; Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert).
So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;)
Additions:
/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority
Removals:
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.21 |
|
01-Jun-2020 |
sthen |
branches: 1.21.4; Remove expired certificate, ok tb@ /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.23 |
|
11-Jun-2021 |
sthen |
sync cert.pem with Mozilla's CA list generated from certdata.txt (certificates with the "server auth" trust purpose permitted). ok tb@
-AC Camerfirma S.A. - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 - /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008 -
FNMT-RCM /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM + /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
-GeoTrust Inc. - /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA - /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2 -
GlobalSign nv-sa + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46 + /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Staat der Nederlanden /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA - /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
Unizeto Technologies S.A. /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2 - -VeriSign, Inc. - /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
(Note, "Staat der Nederlanden Root CA - G3" was changed to email trust only, so is removed from this due to it only listing "server auth" purposes).
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.22 |
|
12-Feb-2021 |
sthen |
Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert).
So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;)
Additions:
/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority
Removals:
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.21 |
|
01-Jun-2020 |
sthen |
Remove expired certificate, ok tb@ /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.22 |
|
12-Feb-2021 |
sthen |
Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert).
So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;)
Additions:
/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority
Removals:
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.21 |
|
01-Jun-2020 |
sthen |
Remove expired certificate, ok tb@ /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.21 |
|
01-Jun-2020 |
sthen |
Remove expired certificate, ok tb@ /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.20 |
|
10-Apr-2020 |
sthen |
sync cert.pem with Mozilla's root ca list, ok beck@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.19 |
|
04-Apr-2019 |
sthen |
update root CAs in cert.pem in sync with Mozilla ok millert@
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.18 |
|
16-Dec-2018 |
sthen |
Regenerate root CA list using updated format-pem.pl. Specifically this drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
#
1.17 |
|
12-Sep-2018 |
sthen |
sync with mozilla-release (one removal, TURKTRUST, more details at https://bugzilla.mozilla.org/show_bug.cgi?id=1439127)
ok danj guenther millert
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.16 |
|
21-Mar-2018 |
sthen |
Full sync of CA list with Mozilla's.
Produced using curl's make-ca-bundle.pl and then reformatted with our format-pem.pl from: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
OK benno@. juanfra agrees with syncing with Mozilla. No objections received.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.15 |
|
24-Feb-2017 |
sthen |
Add the following root CAs, from SECOM Trust Systems / Security Communication of Japan, they are present in Mozilla's CA store. OK ajacoutot@
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
|
#
1.14 |
|
01-Jan-2017 |
sthen |
Various work on cert.pem, ok bcook@
- print/sort using the full certificate subject rather than a pretty-printed subset (as done in the current version of format-pem.pl); previously this was resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the release branch of Mozilla - possible now that libressl has support for alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations which we already list
|
#
1.13 |
|
04-Sep-2016 |
sthen |
Add ISRG Root X1, the letsencrypt CA root. This is now included in its own right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.12 |
|
25-May-2016 |
jsg |
use -nameopt esc_msb so "NetLock Kft" cert has the non-ascii and non-utf8 bytes escaped.
ok sthen@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.11 |
|
17-Feb-2016 |
sthen |
Sync some root certificates with Mozilla's cert store. ok bcook@
- Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates).
- Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
|
#
1.10 |
|
01-Feb-2016 |
sthen |
Sort cert.pem alphabetically, first by organisation, then by CA name (CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand.
|
#
1.9 |
|
31-Jan-2016 |
sthen |
Revamp cert.pem certificate information formatting. Skip headers which aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
#
1.8 |
|
15-Dec-2015 |
sthen |
Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to remove/untrust this root from their root stores" and "hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications" (https://www.symantec.com/page.jsp?id=roots, http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941 https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
#
1.7 |
|
07-Dec-2015 |
sthen |
Add root certificate for COMODO RSA Certification Authority, ok beck@
In some cases sites signed by this are covered by the old "AddTrust External CA Root" that we already had, but that depends on the site sending a fairly large chain of intermediate certificates which most aren't doing (because there's no need because this newer one is in browser stores..).
|
#
1.6 |
|
16-Nov-2015 |
sthen |
add QuoVadis root certificates, present in Mozilla/Chrome/Apple/Windows/etc req by and OK dlg, no objections in 5 days
|
#
1.5 |
|
13-Sep-2015 |
sthen |
Add Certplus CA root certificate: C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.4 |
|
20-Jul-2015 |
steven |
branches: 1.4.4; add NetLock Kft. CA root certificate, already present in web browsers and needed for fetching ports distfiles. ok sthen@
|
#
1.3 |
|
17-Jun-2015 |
sthen |
add DST Root CA X3 certificate, already present in most browser cert stores. "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
#
1.2 |
|
04-May-2015 |
sthen |
Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.1 |
|
11-Apr-2014 |
miod |
Move build machinery for libcrypto from libssl/crypto to libcrypto, as well as configuration files; split manpages and .pc files between libcrypto and libssl. No functional change, only there to make engineering easier, and libcrypto sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|