1# ------------------------------------------------------------------------------ 2# Extended Validation CA Policy OIDs 3# Last updated: 20 Aug 2014, KCM 4# 5# Each uncommented non-empty line contains a mapping from a CA-defined EV OID 6# to the certificate file(s) in ./roots which are authoritative for that OID. 7# These lines are processed by the buildEVRoots script to generate the plist. 8# 9 10# Actalis 11# source: <rdar://problem/15836617>, <snrx://602642711> 12# confirmed by http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf 13# 14# (1.3.159.1.17.1) = 06062B811F011101 15# 16# roots: Actalis Authentication Root CA.cer 17# 181.3.159.1.17.1 "Actalis Authentication Root CA.cer" 19 20 21# AffirmTrust 22# source: <rdar://problem/7824821> 23# confirmed by http://www.affirmtrust.com/images/AffirmTrust_CPS_v1.1_12-23-2010.pdf 24# 25# (1.3.6.1.4.1.34697.2.1) = 26# 27# roots: AffirmTrust-Commercial.der, AffirmTrust-Networking.der, AffirmTrust-Premium.der, AffirmTrust-Premium-ECC.der 28# 291.3.6.1.4.1.34697.2.1 "AffirmTrust-Commercial.der" 301.3.6.1.4.1.34697.2.2 "AffirmTrust-Networking.der" 311.3.6.1.4.1.34697.2.3 "AffirmTrust-Premium.der" 321.3.6.1.4.1.34697.2.4 "AffirmTrust-Premium-ECC.der" 33 34 35# Buypass (Norway) 36# TestURL: https://valid.evident.ca23.ssl.buypass.no/ 37# TestURL: https://valid.evident.ca13.ssl.buypass.no 38# source: <sonr://Request/66633590> 39# confirmed by https://cert.webtrust.org/ViewSeal?id=848 40# confirmed by http://www.buypass.no/Bedrift/Produkter+og+tjenester/SSL/SSL%20dokumentasjon 41# 42# (2.16.578.1.26.1.3.3) = 0608608442011A010303 43# 44# root: Buypass Class 3 CA 1 Buypass AS-983163327 45# 46# confirmed by email with John Arild Amdahl Johansen on Nov.12 2013 47# 482.16.578.1.26.1.3.3 "Buypass Class 3 Root CA.cer" "BuypassClass3CA1.cer" 49 50 51# Certigna 52# TestURL: http://www.certigna.fr/ca/ACcertigna.crt 53# confirmed by <sonr://138828330> 54# 86F27C4BE875508EE8793C4BFC61791530729830 55# source <sonr://Request/138828330> 56# 57# (1.2.250.1.177.1.18.2.2) 58# 59# root: Certigna.cer 60# 611.2.250.1.177.1.18.2.2 "Certigna.cer" 62 63 64# Certum (Unizeto) (Poland) 65# source: <sonr://request/95347392> 66# source: <rdar://problem/7656178>, <rdar://problem/16974747> 67# 68# ( 1 2 616 1 113527 2 5 1 1 ) = 060B2A84680186F67702050101 69# 70# root: Certum Trusted Network CA 71# root: Certum CA 72# 731.2.616.1.113527.2.5.1.1 "Unizeto-CertumCA.cer" "Poland-Certum-CTNCA.der" "Certum Trusted Network CA 2.cer" 74 75 76# China Internet Network Information Center (CNNIC) (China) 77# source: <rdar://problem/9279621> 78# 79# ( 1 3 6 1 4 1 29836 1 10 ) = 80# 81# root: China Internet Network Information Center EV Certificates Root 82# 831.3.6.1.4.1.29836.1.10 "CNNICEVRoot.der" 84 85 86# Comodo 87# source: <http://www.mozilla.org/projects/security/certs/included/> 88# confirmed by <http://www.comodo.com/repository/EV_CPS_120806.pdf> 89# 90# (1.3.6.1.4.1.6449.1.2.1.5.1) = 060C2B06010401B2310102010501 91# 92# root: COMODO Certification Authority 93# subordinate CA of: Add Trust External CA Root 94# 951.3.6.1.4.1.6449.1.2.1.5.1 "COMODOCertificationAuthority.crt" "AddTrust External CA Root.crt" 96 97 98# Cybertrust (aka Verizon Business) 99# source: <http://en.wikipedia.org/wiki/Extended_Validation_Certificate> 100# confirmed by <http://cybertrust.omniroot.com/repository.cfm> 101# 102# (1.3.6.1.4.1.6334.1.100.1) = 060A2B06010401B13E016401 103# 104# root: GTE Cybertrust Global Root 105# root: Baltimore Cybertrust Root 106# 1071.3.6.1.4.1.6334.1.100.1 "BTCTRT.cer" "GTEGB18.cer" 108 109 110# DigiCert 111# source: <http://www.mozilla.org/projects/security/certs/included/> 112# confirmed by <https://www.digicert.com/> 113# confirmed by <http://www.digicert.com/CPS_V3-0-3_3-15-2007.pdf> 114# 115# (2.16.840.1.114412.2.1) = 06096086480186FD6C0201 // EV CA-1 116# (2.16.840.1.114412.1.3.0.2) = 060B6086480186FD6C01030002 // EV CA-2 117# 118# root: DigiCert High Assurance EV Root CA 119# previously a subordinate CA of: Entrust.net Secure Server Certification Authority 120# 1212.16.840.1.114412.1.3.0.2 "DigiCertHighAssuranceEVRootCA.crt" "EntrustRootCA1024.crt" 122 123 124# A14B48D943EE0A0E40904F3CE0A4C09193515D3F 125# F517A24F9A48C6C9F8A200269FDC0F482CAB3089 126# DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 127# 7E04DE896A3E666D00E687D33FFAD93BE83D349E 128# DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 129# TestURL: https://assured-id-root-g2.digicert.com 130# TestURL: https://assured-id-root-g3.digicert.com 131# TestURL: https://global-root-g2.digicert.com 132# TestURL: https://global-root-g3.digicert.com 133# TestURL: https://trusted-root-g4.digicert.com 134# confirmed by <snrx://600058205> 1352.16.840.1.114412.2.1 "DigiCertHighAssuranceEVRootCA.crt" "DigiCertAssuredIDRootG2.der" "DigiCertAssuredIDRootG3.der" "DigiCertGlobalRootG2.der" "DigiCertGlobalRootG3.der" "DigiCertTrustedRootG4.der" 136 137 138# DigiNotar 139# source: <http://www.mozilla.org/projects/security/certs/included/> 140# confirmed by <https://www.diginotar.com/> 141# 142# (2.16.528.1.1001.1.1.1.12.6.1.1.1) = 060E6084100187690101010C06010101 143# 144# root: DigiNotar Root CA 145# 146# removed per <rdar://problem/10040471> 147# 2.16.528.1.1001.1.1.1.12.6.1.1.1 "DigiNotarRootCA2007.crt" 148 149 150# D-Trust 151# <rdar://problem/13718023> open .D-Trust root certificates 152# 153# 1.3.6.1.4.1.4788.2.202.1 154# 155# root: D-TRUST_Root_Class_3_CA_2_EV_2009.cer 156# 1571.3.6.1.4.1.4788.2.202.1 "D-TRUST_Root_Class_3_CA_2_EV_2009.cer" 158 159 160# E-Tugra 161# source: <rdar://15745238> 162# Test URL: https://sslev.e-tugra.com.tr 163# 1642.16.792.3.0.4.1.1.4 "E-Tugra.der" 165 166# Entrust 167# 503006091D97D4F5AE39F7CBE7927D7D652D3431 168# B31EB1B740E36C8402DADC37D44DF5D4674952F9 169# 8CF427FD790C3AD166068DE81E57EFBB932272D4 170# 20d80640df9b25f512253a11eaf7598aeb14b547 171# TestURL: https://2048test.entrust.net/ 172# TestURL: https://validev.entrust.net/ 173# TestURL: https://validg2.entrust.net/ 174# TestURL: https://validec.entrust.net/ 175# source: <http://www.mozilla.org/projects/security/certs/included/> 176# confirmed by <http://www.entrust.net/CPS/pdf/webcps051404.pdf> 177# 178# (2.16.840.1.114028.10.1.2) = 060A6086480186FA6C0A0102 179# 180# root: Entrust.net Secure Server Certification Authority 181# root: Entrust Root Certification Authority 182# 183# confirmed by <sonr://99624119> 1842.16.840.1.114028.10.1.2 "EntrustEVRoot.crt" "EntrustRoot-G2.der" "EntrustRoot-EC1.der" "entrust2048.der" 185 186 187# GeoTrust 188# source: <http://www.mozilla.org/projects/security/certs/included/> 189# confirmed by <http://www.geotrust.com/resources/cps/pdfs/GeoTrustCPS-Version1.pdf> 190# G3 root added: <http://www.geotrust.com/resources/cps/pdfs/GeoTrustCPS-Version1.1.13.pdf> 191# 192# (1.3.6.1.4.1.14370.1.6) = 06092B06010401F0220106 193# 194# root: GeoTrust Primary Certification Authority 195# subordinate CA of: Equifax Secure Certificate Authority 196# 1971.3.6.1.4.1.14370.1.6 "geotrust-primary-ca.crt" "Equifax_Secure_Certificate_Auth" "GeoTrust Primary Certification Authority - G3.cer" 198 199 200# GlobalSign 201# source: <http://www.mozilla.org/projects/security/certs/included/> 202# confirmed by <https://www.globalsign.com/> 203# 204# (1.3.6.1.4.1.4146.1.1) = 06092B06010401A0320101 205# 206# root: GlobalSign Root CA - R3 207# root: GlobalSign Root CA - R2 208# root: GlobalSign Root CA 209# 2101.3.6.1.4.1.4146.1.1 "GlobalSignRootCA-R2.cer" "globalSignRoot.cer" "GlobalSign-Root-R3.der" 211 212 213# Go Daddy (aka Starfield Technologies) 214# source: <http://www.mozilla.org/projects/security/certs/included/> 215# confirmed by <https://certs.starfieldtech.com/repository/StarfieldCP-CPS.pdf> 216# 217# (2.16.840.1.114413.1.7.23.3) = 060B6086480186FD6D01071703 218# (2.16.840.1.114414.1.7.23.3) = 060B6086480186FD6E01071703 219# 220# root: Go Daddy Class 2 Certification Authority (for 114413) 221# root: Starfield Class 2 Certificate Authority (for 114414) 222# root: Starfield Root Certificate Authority - G2 (for 114414) 223# root: Starfield Services Root Certificate Authority - G2 (for 114414) 224# previously subordinate CA of: Valicert Class 2 Policy Validation Authority (both) 225# 2262.16.840.1.114413.1.7.23.3 "GD-Class2-root.crt" "ValiCertClass2PVA.cer" "GoDaddyRootCertificateAuthorityG2.der" 2272.16.840.1.114414.1.7.23.3 "SF-Class2-root.crt" "ValiCertClass2PVA.cer" "StarfieldRootCertificateAuthorityG2.der" 2282.16.840.1.114414.1.7.24.3 "StarfieldServicesRootCertificateAuthorityG2.der" 229 230 231# Izenpe 232# source: <sonr://Request/74637008> 233# source: <sonr://Request/84249406> 234# confirmed by <https://servicios.izenpe.com/jsp/descarga_ca/s27descarga_ca_c.jsp> 235# 236# (1.3.6.1.4.1.14777.6.1.1) = 237# (1.3.6.1.4.1.14777.6.1.2) = 238# 239# root: Izenpe.com 240# root: Izenpe.com/emailAddress=Info@izenpe.com 241# 2421.3.6.1.4.1.14777.6.1.1 "Izenpe-RAIZ2007.crt" "Izenpe-ca_raiz2003.crt" 2431.3.6.1.4.1.14777.6.1.2 "Izenpe-RAIZ2007.crt" "Izenpe-ca_raiz2003.crt" 244 245 246# KEYNECTIS (aka Certplus) 247# source: <sonr://request/76327342> 248# confirmed by <https://www.keynectis.com/fr/accueil.html> 249# 250# (1.3.6.1.4.1.22234.2.5.2.3.1) = 251# 252# root: Class 2 Primary CA 253# 2541.3.6.1.4.1.22234.2.5.2.3.1 "certplus_class2.der" 255 256 257# Logius (aka Staat der Nederlanden) 258# source: <rdar://problem/16256943> application for root trust store inclusion for Logius EV certificate 259# confirmed by <https://www.logius.nl/producten/toegang/pkioverheid/documentatie/certificaten-pkioverheid/staat-der-nederlanden-ev/>, 260# <https://bugzilla.mozilla.org/show_bug.cgi?id=1016568> 261# <http://cert.pkioverheid.nl/EVRootCA.cer> 262# 263# (2.16.528.1.1003.1.2.7) = 060960841001876B010207 264# 265# root: Staat der Nederlanden EV Root CA 266# 2672.16.528.1.1003.1.2.7 "Staat der Nederlanden EV Root CA.cer" 268 269 270# Network Solutions 271# source: <http://www.mozilla.org/projects/security/certs/included/> 272# confirmed by <https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp> 273# 274# (1.3.6.1.4.1.782.1.2.1.8.1) = 060C2B06010401860E0102010801 275# 276# root: Network Solutions Certificate Authority 277# subordinate CA of: AddTrust External CA Root 278# 2791.3.6.1.4.1.782.1.2.1.8.1 "NetworkSolutionsEVRoot.crt" "AddTrust External CA Root.crt" 280 281 282# QuoVadis 283# source: <http://www.mozilla.org/projects/security/certs/included/> 284# confirmed by <http://www.quovadisglobal.bm/Repository.aspx> 285# 286# (1.3.6.1.4.1.8024.0.2.100.1.2) = 060C2B06010401BE580002640102 287# 288# root: QuoVadis Root Certification Authority 289# root: QuoVadis Root CA 2 290# 2911.3.6.1.4.1.8024.0.2.100.1.2 "qvrca.crt" "qvrca2.crt" 292 293 294# Secom (aka SECOM Trust Systems Co., Ltd.) 295# TestURL: https://scrootca2test.secomtrust.net also consider: https://fmctest.secomtrust.net/ 296# FEB8C432DCF9769ACEAE3DD8908FFD288665647D 297# source: <https://repository.secomtrust.net/SC-Root1/> 298# 299# (1.2.392.200091.100.721.1) = 060A2A83088C9B1B64855101 300# 301# root: Security Communication RootCA1 302# 3031.2.392.200091.100.721.1 "SCRoot1ca.cer" "SECOM-EVRoot1ca.cer" "SECOM-RootCA2.cer" 304 305 306# StartCom 307# source: <http://www.mozilla.org/projects/security/certs/included/#StartCom> 308# confirmed by <https://www.startssl.com/certs/>, <https://www.startssl.com/policy.pdf> 309# 310# (1.3.6.1.4.1.23223.2) = 311# (1.3.6.1.4.1.23223.1.1.1) = 312# 313# root: StartCom Certification Authority 314# 3151.3.6.1.4.1.23223.2 "startcom-sfsca.der" "startcomSHA2.der" "StartCom May 2013 G2.der" 3161.3.6.1.4.1.23223.1.1.1 "startcom-sfsca.der" "startcomSHA2.der" "StartCom May 2013 G2.der" 317 318 319# SwissCom 320# source : <rdar://problem/13768455> SwissCom Root Certificates 321# TestURL: https://test-quarz-ev-ca-2.pre.swissdigicert.ch/ 322# confirmed by <snrx://224162961>, 323# <http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_1_de.pdf> 324# 325# previously, we had noted these additional OIDs for SwissCom: 326# (2.16.756.1.83.20.1.1) = 06086085740153140101 327# verify whether this is still used: <rdar://15180773> 328# (2.16.756.1.83.2.2) = 060760857401530202 329# <https://en.wikipedia.org/wiki/Extended_Validation_Certificate>; confirmed by Swisscom: 330# (2.16.756.1.83.21.0) = 060760857401531500 331# 332# E7A19029D3D552DC0D0FC692D3EA880D152E1A6B 333# 3342.16.756.1.83.2.2 "Swisscom Root EV CA 2.cer" 3352.16.756.1.83.21.0 "Swisscom Root EV CA 2.cer" 336 337# SwissSign 338# source: <https://swisssign.com/english/download-document/20-swisssign-gold-ca-g2.html> 339# repository: https://swisssign.com/english/gold/view-category.html 340# 341# (2.16.756.1.89.1.2.1.1) = ... 342# 343# root: SwissSign Gold CA - G2 344# 3452.16.756.1.89.1.2.1.1 "SwissSign-Gold_G2.der" 346 347 348# TrustCenter (DE) 349# source: <sonr://Request/87508085> 350# 351# (1.2.276.0.44.1.1.1.4) = ... 352# 353# root: TC TrustCenter Universal CA III 354# 3551.2.276.0.44.1.1.1.4 "trustCenter-root-5.der" 356 357 358# Trustwave (aka SecureTrust, formerly XRamp) 359# source: <http://www.mozilla.org/projects/security/certs/included/> 360# 361# (2.16.840.1.114404.1.1.2.4.1) = 060C6086480186FD640101020401 362# 363# root: SecureTrust CA 364# root: Secure Global CA 365# root: XRamp Global CA 366# subordinate CA of: Entrust.net Secure Server Certification Authority 367# 3682.16.840.1.114404.1.1.2.4.1 "Trustwave-STCA.der" "Trustwave-SGCA.der" "XGCA.crt" "EntrustRootCA1024.crt" 369 370 371# Thawte 372# source: <http://www.mozilla.org/projects/security/certs/included/> 373# G3 EV root added: <http://www.thawte.com/assets/documents/repository/cps/Thawte_CPS_3_7.9.pdf> 374# 375# (2.16.840.1.113733.1.7.48.1) = 060B6086480186F84501073001 376# 377# root: thawte Primary Root CA 378# subordinate CA of: Thawte Premium Server CA 379# 3802.16.840.1.113733.1.7.48.1 "thawte-primary-root-ca.crt" "serverpremium.crt" "Thawte_Premium_Server_CA.cer" "thawte Primary Root CA - G3.cer" 381 382 383# T-TeleSec 384# source: <rdar://problem/14254092> T-Systems / Telesec.de root certificates 385# 386# (1.3.6.1.4.1.7879.13.24.1) 387# 388# root: T-TeleSec GlobalRoot Class 2 T-TeleSec GlobalRoot Class 3 389# 3901.3.6.1.4.1.7879.13.24.1 "T-TeleSec GlobalRoot Class 2.cer" "T-TeleSec GlobalRoot Class 3.cer" 391 392 393# VeriSign 394# source: <http://www.mozilla.org/projects/security/certs/included/> 395# 396# (2.16.840.1.113733.1.7.23.6) = 060B6086480186F84501071706 397# 398# root: VeriSign Class 3 Public Primary Certification Authority - G5 399# subordinate CA of: Class 3 Public Primary Certification Authority 400# 401# Symantec 402# source: <rdar://problem/13712338> Symantec ECC root certificates May 2013 403# 404# VeriSign 405# source: <rdar://13712338> Symantec ECC root certificates May 2013 406# EV OID correction: <rdar://17095623> EV-enablement for Verisign root certificate already in the keychain 407# 4082.16.840.1.113733.1.7.23.6 "VeriSignC3PublicPrimaryCA-G5.cer" "PCA3ss_v4.509" "Symantec Class 3 Public Primary Certification Authority - G4.cer" "VeriSign Class 3 Public Primary Certification Authority - G4.cer" "VeriSign Universal Root Certification Authority.cer" 409 410 411# Wells Fargo 412# source: <sonr://request/72493272> 413# confirmed by <https://www.wellsfargo.com/com/cp> 414# 415# (2.16.840.1.114171.500.9) = 060A6086480186FB7B837409 416# 417# root: WellsSecure Public Root Certificate Authority 418# 4192.16.840.1.114171.500.9 "WellsSecurePRCA.der" 420 421 422# Camerfirma 423# TestURL: https://server2.camerfirma.com:8082 424# TestURL: https://www.camerfirma.com/ 425# confirmed by <snrx://277093627> 426# 427# (1.3.6.1.4.1.17326.10.14.2.1.2) = 060D2B0601040181872E0A0E020102 428# (1.3.6.1.4.1.17326.10.8.12.1.2) = 060D2B0601040181872E0A080C0102 429# 430# 786A74AC76AB147F9C6A3050BA9EA87EFE9ACE3C 431# 6E3A55A4190C195C93843CC0DB722E313061F0B1 432# 4331.3.6.1.4.1.17326.10.14.2.1.2 "ROOT-CHAMBERSIGN.crt" "ROOT-CHAMBERS.crt" "root_chambers-2008.der" 4341.3.6.1.4.1.17326.10.8.12.1.2 "root_chambersign-2008.der" 435 436 437# Firmaprofesional 438# AEC5FB3FC8E1BFC4E54F03075A9AE800B7F7B6FA 439# Firmaprofesional-CIF-A62634068.der 440# TestURL: https://publifirma.firmaprofesional.com/ 441# confirmed by <sonr://230298678> 442# 443# (1.3.6.1.4.1.13177.10.1.3.10) = 060B2B06010401E6790A01030A 444# 4451.3.6.1.4.1.13177.10.1.3.10 "Firmaprofesional-CIF-A62634068.der" 446 447 448# TWCA 449# TestURL (4096): https://evssldemo3.twca.com.tw/index.html 450# TestURL (2048): https://evssldemo.twca.com.tw/index.html 451# confirmed with Robin Lin of TWCA on August 13 2013 452# 453# (1.3.6.1.4.1.40869.1.1.22.3) = 060C2B0601040182BF2501011603 454# 455# 9CBB4853F6A4F6D352A4E83252556013F5ADAF65 456# CF9E876DD3EBFC422697A3B5A37AA076A9062348 457# 4581.3.6.1.4.1.40869.1.1.22.3 "TWCARootCA-4096.der" "twca-root-1.der" 459 460 461 462# ------------------------------------------------------------------------------ 463 464