ca-certificates.rpm
This is the home page for the ca-certificates.rpm package included in Fedora. It contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.
For the upstream project, see:
- https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
- https://lists.mozilla.org/listinfo/dev-security-policy
This page documents changes that Fedora applies on top of the upstream trust lists.
Reason for Modifications
Starting with version 2.1 of the package, the set of certificates trusted by default differs from the upstream project, for compatibility reasons.
Certain CA certificates are kept trusted, in order to ensure compatibility for software that cannot automatically find alternative trust chains, such as OpenSSL. See also this tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1166614
Note that users/administrators can make use of the ca-legacy command, which changes a systemwide configuration. By executing the command "ca-legacy disable" with root permissions, the Fedora specific modifications will be disabled, and the trust as defined by the upstream Mozilla project is used.
Please note that a CA has three independent trust flags, for web sites (TLS) trust, for email protection (e.g. S/MIME), and for code signing. Any combination to the trust flags is possible. For example, a CA might have it's trust for TLS removed, if the CA claims that all customers have had the chance to be migrated to a different set of root CA certificates, but the same CA certificate might still be trusted for email protection.
Changes in Version 2.1
For the changes made by upstream in version 2.1, please refer to the NSS 3.16.3 releases and the amendments in the NSS 3.16.4 release notes (which reverts one of the changes):
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.4_release_notes
Below is the list of CAs that had trust removed in the upstream list version 2.1, but which are kept included in the Fedora package. (See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1144808 )
- Verisign Class 3 Public Primary Certification Authority
- legacy trust: tls, email, codesigning
- latest trust (if disabled): email
# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US # Not Valid Before: Mon Jan 29 00:00:00 1996 # Not Valid After : Tue Aug 01 23:59:59 2028 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
- Verisign Class 2 Public Primary Certification Authority - G2
- legacy trust: email, codesigning
- latest trust (if legacy disabled): email
# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US # Not Valid Before: Mon May 18 00:00:00 1998 # Not Valid After : Tue Aug 01 23:59:59 2028 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
- ValiCert Class 1 VA
- legacy trust: tls, email, codesigning
- latest trust (if legacy disabled): (none)
# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network # Serial Number: 1 (0x1) # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network # Not Valid Before: Fri Jun 25 22:23:48 1999 # Not Valid After : Tue Jun 25 22:23:48 2019 # Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB # Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
- ValiCert Class 2 VA
- legacy trust: tls, email, codesigning
- latest trust (if legacy disabled): (none)
# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network # Serial Number: 1 (0x1) # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network # Not Valid Before: Sat Jun 26 00:19:54 1999 # Not Valid After : Wed Jun 26 00:19:54 2019 # Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87 # Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
- RSA Root Certificate 1
- legacy trust: tls, email, codesigning
- latest trust (if legacy disabled): (none)
# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network # Serial Number: 1 (0x1) # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network # Not Valid Before: Sat Jun 26 00:22:33 1999 # Not Valid After : Wed Jun 26 00:22:33 2019 # Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72 # Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
- Entrust.net Secure Server CA
- legacy trust: tls, email, codesigning
- latest trust (if legacy disabled): (none)
# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US # Serial Number: 927650371 (0x374ad243) # Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US # Not Valid Before: Tue May 25 16:09:40 1999 # Not Valid After : Sat May 25 16:39:40 2019 # Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE # Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
- Verisign Class 3 Public Primary Certification Authority
- legacy trust: tls, email, codesigning
- latest trust (if legacy disabled): email
# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US # Not Valid Before: Mon Jan 29 00:00:00 1996 # Not Valid After : Wed Aug 02 23:59:59 2028 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B