Updated June 27 to reformat New Certificates section
I was reading Mozilla's Bugzilla, in which a gentleman from Keynectis/Opentrust stated:
We have been included in Microsoft root store. This has been confirmed by Jody. 5 new root CAs will be available in Microsoft June release, planned on the 23rd.
If you read my previous post on the Microsoft Certificate Trust List you'd know that it's hard to anticipate Microsoft certificate trust list changes.
To Download a mirror of the Microsoft Certificate Trust List:
certutil.exe -syncwithwu .\wu
I checked this afternoon, yes, the CTL was updated. Some quick analysis of this change, which added 17 Root Certificates and removed 1.
Several of the new certificates are not trusted for Server Authentication.
There are a few new Certificate Authorities, of which I don't have much information.
I wrote a script to build a MSCACERT.PEM file using the MS Certificate Trust List with just certificates trusted for server authentication, available here:
Microsoft Used to document these changes, for example linked below. Maybe they will start announcing trust changes again soon.
The last update is a PDF released in September 2014, which welcomed Saudi Arabia's CA. sha1sum "Windows Root Certificate Program Members - Sept 2014.pdf"
Windows Root Certificate Program Members - Sept 2014.pdf
For an earlier update on Microsoft's trust list changes this year see:
Update, three of these are ECC 384 bit Roots.
5 2048 bit / sha256WithRSAEncryption
6 4096 bit / sha256WithRSAEncryption
1 4096 bit / sha384WithRSAEncryption
2 4096 bit / sha512WithRSAEncryption
3 384 bit / ecdsa-with-SHA384
The ECC Roots with with links to their test website:C=FR, O=OpenTrust, CN=OpenTrust Root CA G3
C=FR, O=Certplus, CN=Certplus Root CA G2
C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root
Note (6/28) the WoSign new certificates are included in the Mozilla renewal request
New Certificate Authorities
Notarius Inc of Canada - http://www.notarius.com Trusted for Client Authentication, Secure Email, and Document Signing.
"Notarius is a non-profit organization founded on 19 June 1996 by the Chambre des notaires du Québec (CNQ). Certified ISO 27001:2005, ISO 9001:2008 and recognized by the Conseil du trésor du Québec, Notarius issues digital signatures to Canadian professionals and their business partners."
GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. OF China http://www.gdca.com.cn/ WebTust Seal: https://cert.webtrust.org/SealFile?seal=1859&file=pdf
Deutscher Sparkassen Verlag GmbH of Germany (6/28: not new)
Swedish Social Insurance Agency of Sweden Trusted for all.
"Försäkringskassan’s role is to administer social insurance and to ensure that you get the benefits and allowances you are entitled to."
MULTICERT - Servi\xC3\xA7os de Certifica\xC3\xA7\xC3\xA3o Electr\xC3\xB3nica S.A. of Portugal Trusted for all. https://www.multicert.com
"Over the years, we have consolidated ourselves as project developers and as a digital security solutions company, bringing our expertise and technical knowledge into the electronic certification field. Our expertise has been acquired in several projects in which we participated, both in the banking and government sectors."Submitted to Mozilla
National Digital Certification Agency of Tunisia (6/28: Not new)
Home page is anchored to old revoked root.
New Root Certificates (17)
|SHA1 Thumbprint||Current CA Owner||Country||Root CA Name||Algorithm||Expiration||Trusted For|
|1f3f1486b531882802e87b624d420295a0fc721a||Notarius Inc||Canada||Notarius Root Certificate Authority||RSA4096||12-2034||Client|
|0f36385b811a25c39b314e83cae9346670cc74b4||GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.||China||GDCA TrustAUTH R5 ROOT||RSA4096||12-2040||Server Client Code Time|
|fbeddc9065b7272037bc550c9c56debbf27894e1||WoSign CA Limited||China||Certification Authority of WoSign G2||RSA2048||11-2044||Server Client Code Time|
|d27ad2beed94c0a13cc72521ea5d71be8119f32b||WoSign CA Limited||China||CA WoSign ECC Root||ECDSA384||11-2044||Server Client Code Time|
|22fdd0b7fda24e0dac492ca0aca67b6a1fe3f766||OpenTrust||France||Certplus Root CA G1||RSA4096||1-2038||Server Client Code|
|4f658e1fe906d82802e9544741c954255d69cc1a||OpenTrust||France||Certplus Root CA G2||ECDSA384||1-2038||Server Client Code|
|7991e834f7e2eedd08950152e9552d14e958d57e||OpenTrust||France||OpenTrust Root CA G1||RSA4096||1-2038||Server Client Code|
|795f8860c5ab7c3d92e6cbf48de145cd11ef600b||OpenTrust||France||OpenTrust Root CA G2||RSA4096||1-2038||Server Client Code|
|6e2664f356bf3455bfd1933f7c01ded813da8aa6||OpenTrust||France||OpenTrust Root CA G3||ECDSA384||1-2038||Server Client Code|
|1b3d1114ea7a0f9558544195bf6b2582ab40ce9a||Deutscher Sparkassen Verlag GmbH||Germany||S-TRUST Universal Root CA||RSA2048||10-2038||Server Client Time|
|3bc6dce00307bd676041ebd85970c62f8fda5109||India PKI||India||CCA India 2015 SPL||RSA2048||1-2025||Client Time|
|a2b86b5a68d92819d9ce5dd6d7969a4968e11991||India PKI||India||CCA India 2014||RSA2048||3-2024||Client Time|
|46af7a31b599460d469d6041145b13651df9170a||MULTICERT||Portugal||MULTICERT Root Certification Authority 01||RSA4096||4-2039||Server Client Code Time|
|32f442093b36d7031b75ca4daddcb327faa02b9c||Swedish Social Insurance Agency||Sweden||Swedish Government Root Authority v2||RSA4096||5-2040||Server Client Code Time|
|9638633c9056ae8814a065d23bdc60a0ee702fa7||Tunisian National Digital Certification Agency||Tunisia||Tunisian Root Certificate Authority - TunRootCA2||RSA4096||5-2027||Server Client Code Time|
|2c8affce966430ba04c04f81dd4b49c71b5b81a0||Cisco Systems||USA||Cisco RXC-R2||RSA2048||7-2034||Server Client|
|8094640eb5a7a1ca119c1fddd59f810263a7fbd1||GlobalSign||USA||GlobalSign Root CA - R6||RSA4096||12-2034||Code Time|
"GlobalSign is a WebTrust-certified certificate authority and provider of Identity Services. Founded in 1996. and presently a subsidiary of GMO CLOUD K.K. in Japan, the company offers a diverse range of Identity service solutions."
9.1.4 Issuer Country Name Field Certificate Field: issuer:countryName (OID 188.8.131.52) Required/Optional: Required Contents: This field MUST contain the two-letter ISO 3166-1 country code for the country in which the issuer’s place of business is located.
Removed/Retired Root CertificatesThis is the 1024bit Equifax root.
SHA1 Fingerprint=DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41 subject= /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1