Default trusted root certificates and the Peppol policy for Transport Security
2020-06-29If you are running a PEPPOL Access Point for the exchange of business documents such as electronic invoices, you may be aware that there are certain requirements regarding transport-level security. What you might not be aware of, however, is that a number of implementations do not fullfill these requirements without additional system-level configuration changes.
The issue I want to discuss here is that of X509 TLS Certificates, or rather, the list of trusted root certificates. Not the PEPPOL PKI, which is used for document-level security and to a certain degree network authentication, but the ‘general’ TLS certificate you use to initiate and serve HTTPS sessions. The same ones you might use to enable HTTPS on your main web server, and for which there are many certificate authorities you can choose from. Too many, it turns out.
The particular issue here is the set of root certificates that are trusted by the access point implementations; if your application has the wrong list, you might not be able to send to specific access points. If you have a certificate from an authority that is not trusted by every single access point out there, they might not be able to send documents to you.
This is why PEPPOL specifies a specific list that you are supposed to configure. From the PEPPOL Policy for Transport Security 1.0: “the latest version of the “List of pre-loaded CA certificates” [CACERTS] of the “Mozilla Network Security Services” [NSS].”
The issue with (some) Java implementations
Please note: I single out Java here, but in reality it might be any operating system or runtime environment. The operational problems I happen to have seen were all with access point implementations in Java.
If you install a stand-alone instance of Java, it comes bundled with its own set of trusted certificates. This list differs (quite a bit! see below) from the list provided by Mozilla. So if someone (correctly) uses a certificate from an authority which is in the Mozilla list, but not the Java list, you can not send them any documents, as the https connection fails to start.
This means that you are NOT compliant to the PEPPOL Policy for Transport Security. Unfortunately, this use-case falls outside of the scope of a lot of testing, as we’d need some system that contains a certificate from all possible authorities, which is at best impractical, but probably impossible.
I have made a quick analysis of the certificate authorities that are present in one but not the other, see the end of this article.
Of course, all this heavily depends on how exactly you have installed your runtime environment. It might use the bundled list, or a list bundled with your operating system, or a different list altogether. And those might differ from the list provided by Mozilla as well.
So what can you do for your sending access point?
In order to be compliant to the PEPPOL Policy, you will need to configure any and all certificates from Mozilla’s list in your trust-list, and to be strictly compliant, remove any list that is present in Java’s list but not Mozilla’s list.
I can’t provide exact instructions for your environment, as again, which specific certificates are trusted depends heavily on how the environment is configured and set up.
There are a few external blog posts that provide some instructions for particular environments (Disclaimer: I do not have any affiliation with these sites, and have not fully verified their contents, these came out of a google search):
- Using Mozilla’s Certificate Authority List for Java SSL
- The Java Developer’s Guide to SSL Certificates
- How to add or list certificates from keystore or trustStore in Java
What can you do for a receiving access point?
If you are running an access point that receives document, check the certificate(s) that is used for https on your endpoint(s).
If you happen to know the certificate used to sign yours, you can look it up in the list below. An easier method is to run the tests from SSLLabs. The last entry of the first section of the results is labeled ‘Trusted’. This entry shows the main trust-lists that trust your certificate. The color (green/red) shows whether your certificate authority is on the trust list.
If this certificate is present in both the Mozilla list and the Java list, you are good. If it is only present in the Java list, you are currently not compliant to the PEPPOL Policy for Transport Security, and you should get and configure one that is on the Mozilla list.
The hard one is if you are using a certificate that is on the Mozilla list, but not the Java list. For example, if you are using a certificate issued by the ‘Staat der Nederlanden’. Technically you are correct by using your certificate, and if anyone has a problem connecting to your access point, then they are not compliant and should update their list of trusted certificates. This may, however, not be feasible in a short amount of time, and is definitely not under your own control. The only workaround that is is changing your certificate to one from an authority that is also on the list of trusted certificates as provided by Java.
Data
I have written a small script to quickly analyze the differences.
Please note: this check does not look at intermediate certificates. If the trusted certificate is from an intermediate at the authority, it may still be trusted if the other trust-list contains a parent.
The Mozilla list I used was retrieved from here, dated Mon, 22 Jun 2020 15:00:38 +0000. The Java list I used was the one bundled with Oracle JDK 8u251.
- The Java list contains 95 certificates.
- The Mozilla list contains 157 certificates.
- 84 certificates are present in both lists.
- 11 certificates are present in the Java list, but not the Mozilla list.
- 73 certificates are present in the Mozilla list, but not the Java list.
Certificates that are in the Mozilla list, but not the Java list
Certificates from these authorities are correct, and your installation is compliant, but there may be issues with access points that send using the Java list.
- AC Camerfirma SA CIF A82743287, Global Chambersign Root, http://www.chambersign.org (33:9B:6B:14:50:24:9B:55:7A:01:87:72:84:D9:E0:2F:C3:D2:D8:E9)
- ACCV, PKIACCV (93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17)
- Agencia Catalana de Certificacio (NIF Q-0801176-I), EC-ACC, Jerarquia Entitats de Certificacio Catalanes Vegeu https://www.catcert.net/verarrel (c)03 Serveis Publics de Certificacio (28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8)
- AS Sertifitseerimiskeskus, EE Certification Centre Root CA, (C9:A8:B9:E7:55:80:5E:58:E3:53:77:A7:25:EB:AF:C3:7B:27:CC:D7)
- Atos, (2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21)
- Autoridad de Certificacion Firmaprofesional CIF A62634068, (AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA)
- certSIGN, certSIGN ROOT CA (FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B)
- China Financial Certification Authority, CFCA EV ROOT, (E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83)
- COMODO CA Limited, COMODO Certification Authority, (66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B)
- Cybertrust Global Root, (5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6)
- D-Trust GmbH, D-TRUST Root CA 3 2013, (6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97)
- Dhimyotis, Certigna Root CA, 0002 48146308100036 (2D:0D:52:14:FF:9E:AD:99:24:01:74:20:47:6E:6C:85:27:27:F5:43)
- Dhimyotis, Certigna, (B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97)
- DigiNotar B.V., DigiNotar PKIoverheid CA Organisatie - G2, (D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42)
- DigiNotar, DigiNotar Root CA, (C1:77:CB:4B:E0:B4:26:8E:F5:C7:CF:45:99:22:B9:B0:CE:BA:21:2F)
- Disig a.s., CA Disig Root R2, (B5:61:EB:EA:A4:DE:E4:25:4B:69:1A:98:A5:57:47:C2:34:C7:D9:71)
- E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A…., E-Tugra Certification Authority, E-Tugra Sertifikasyon Merkezi (51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39)
- EGO, *.EGO.GOV.TR, EGO BILGI ISLEM (C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1)
- Egypt Trust, Egypt Trust Class 3 Managed PKI Enterprise Administrator CA, Terms of use at https://www.egypttrust.com/repository/rpa (c)08 VeriSign Trust Network (6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1)
- Egypt Trust, Egypt Trust Class 3 Managed PKI Operational Administrator CA, Terms of use at https://www.egypttrust.com/repository/rpa (c)08 VeriSign Trust Network (9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E)
- Egypt Trust, Egypt Trust Class 3 Managed PKI SCO Administrator CA, Terms of use at https://www.egypttrust.com/repository/rpa (c)08 VeriSign Trust Network (83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2)
- eMudhra Inc, emSign ECC Root CA - C3, emSign PKI (B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66)
- eMudhra Inc, emSign Root CA - C1, emSign PKI (E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01)
- eMudhra Technologies Limited, emSign ECC Root CA - G3, emSign PKI (30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1)
- eMudhra Technologies Limited, emSign Root CA - G1, emSign PKI (8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C)
- Entrust, Inc., Entrust Root Certification Authority - G4, (c) 2015 Entrust, Inc. - for authorized use only See www.entrust.net/legal-terms (14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01)
- FNMT-RCM, AC RAIZ FNMT-RCM (EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20)
- GeoTrust Inc., GeoTrust Universal CA 2, (37:9A:19:7B:41:85:45:35:0C:A6:03:69:F3:3C:2E:AF:47:4F:20:79)
- Google Trust Services LLC, GTS Root R1, (E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8)
- Google Trust Services LLC, GTS Root R2, (D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D)
- Google Trust Services LLC, GTS Root R3, (30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5)
- Google Trust Services LLC, GTS Root R4, (2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB)
- Government Root Certification Authority, (F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9)
- GUANG DONG CERTIFICATE AUTHORITY CO.,LTD., GDCA TrustAUTH R5 ROOT, (0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4)
- Hellenic Academic and Research Institutions Cert. Authority, Hellenic Academic and Research Institutions ECC RootCA 2015, (9F:F1:71:8D:92:D5:9A:F3:7D:74:97:B4:BC:6F:84:68:0B:BA:B6:66)
- Hellenic Academic and Research Institutions Cert. Authority, Hellenic Academic and Research Institutions RootCA 2011, (FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D)
- Hellenic Academic and Research Institutions Cert. Authority, Hellenic Academic and Research Institutions RootCA 2015, (01:0C:06:95:A6:98:19:14:FF:BF:5F:C6:B0:B6:95:EA:29:E9:12:A6)
- Hongkong Post, Hongkong Post Root CA 1, (D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58)
- Hongkong Post, Hongkong Post Root CA 3, (58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02)
- IZENPE S.A., Izenpe.com, (2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19)
- Japan Certification Services, Inc., SecureSign RootCA11, (3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3)
- KKTC Merkez Bankasi, e-islem.kktcmerkezbankasi.org, (F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB)
- Krajowa Izba Rozliczeniowa S.A., SZAFIR ROOT CA2, (E2:52:FA:95:3F:ED:DB:24:60:BD:6E:28:F3:9C:CC:CF:5E:B3:3F:DE)
- Microsec Ltd., Microsec e-Szigno Root CA 2009, (89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E)
- NetLock Kft., NetLock Arany (Class Gold) F..tan..s..tv..ny, Tan..s..tv..nykiad..k (Certification Services) (06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91)
- Network Solutions L.L.C., Network Solutions Certificate Authority, (74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE)
- SecureTrust Corporation, Secure Global CA, (3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B)
- SSL Corporation, SSL.com EV Root Certification Authority ECC, (4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D)
- SSL Corporation, SSL.com EV Root Certification Authority RSA R2, (74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A)
- SSL Corporation, SSL.com Root Certification Authority ECC, (C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A)
- SSL Corporation, SSL.com Root Certification Authority RSA, (B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB)
- Staat der Nederlanden, Staat der Nederlanden EV Root CA, (76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB)
- Staat der Nederlanden, Staat der Nederlanden Root CA - G2, (59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16)
- Staat der Nederlanden, Staat der Nederlanden Root CA - G3, (D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC)
- Symantec Corporation, Symantec Class 1 Public Primary Certification Authority - G4, Symantec Trust Network (84:F2:E3:DD:83:13:3E:A9:1D:19:52:7F:02:D7:29:BF:C1:5F:E6:67)
- Symantec Corporation, Symantec Class 1 Public Primary Certification Authority - G6, Symantec Trust Network (51:7F:61:1E:29:91:6B:53:82:FB:72:E7:44:D9:8D:C3:CC:53:6D:64)
- Symantec Corporation, Symantec Class 2 Public Primary Certification Authority - G4, Symantec Trust Network (67:24:90:2E:48:01:B0:22:96:40:10:46:B4:B1:67:2C:A9:75:FD:2B)
- Symantec Corporation, Symantec Class 2 Public Primary Certification Authority - G6, Symantec Trust Network (40:B3:31:A0:E9:BF:E8:55:BC:39:93:CA:70:4F:4E:C2:51:D4:1D:8F)
- TAIWAN-CA, TWCA Global Root CA, Root CA (9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65)
- TAIWAN-CA, TWCA Root Certification Authority, Root CA (CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48)
- TrustCor Systems S. de R.L., TrustCor ECA-1, TrustCor Certificate Authority (58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD)
- TrustCor Systems S. de R.L., TrustCor RootCert CA-1, TrustCor Certificate Authority (FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A)
- TrustCor Systems S. de R.L., TrustCor RootCert CA-2, TrustCor Certificate Authority (B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0)
- Trustis Limited, Trustis FPS Root CA (3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04)
- Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1, Kamu Sertifikasyon Merkezi - Kamu SM (31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA)
- UniTrust, UCA Extended Validation Root, (A3:A1:B0:6F:24:61:23:4A:E3:36:A5:C2:37:FC:A6:FF:DD:F0:D7:3A)
- UniTrust, UCA Global G2 Root, (28:F9:78:16:19:7A:FF:18:25:18:AA:44:FE:C1:A0:CE:5C:B6:4C:8A)
- Unizeto Technologies S.A., Certum Trusted Network CA 2, Certum Certification Authority (D3:DD:48:3E:2B:BF:4C:05:E8:AF:10:F5:FA:76:26:CF:D3:DC:30:92)
- VeriSign, Inc., VeriSign Class 1 Public Primary Certification Authority - G3, (c) 1999 VeriSign, Inc. - For authorized use only VeriSign Trust Network (20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5)
- VeriSign, Inc., VeriSign Class 2 Public Primary Certification Authority - G3, (c) 1999 VeriSign, Inc. - For authorized use only VeriSign Trust Network (61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11)
- WISeKey, OISTE WISeKey Global Root GA CA, OISTE Foundation Endorsed Copyright (c) 2005 (59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9)
- WISeKey, OISTE WISeKey Global Root GB CA, OISTE Foundation Endorsed (0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED)
- WISeKey, OISTE WISeKey Global Root GC CA, OISTE Foundation Endorsed (E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31)
Certificates that are on the Java list, but not the Mozilla list
If you use a certificate from one of these authorities, you may not be compliant (earlier disclaimer about intermediate certificates notwithstanding).
- AddTrust AB, AddTrust Qualified CA Root, AddTrust TTP Network (4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF)
- GTE Corporation, GTE CyberTrust Global Root, GTE CyberTrust Solutions, Inc. (97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74)
- KEYNECTIS, KEYNECTIS ROOT CA, ROOT (9C:61:5C:4D:4D:85:10:3A:53:26:C2:4D:BA:EA:E4:A2:D2:D5:CC:97)
- LuxTrust s.a., LuxTrust Global Root, (C9:3C:34:EA:90:D9:13:0C:0F:03:00:4B:98:BD:8B:35:70:91:56:11)
- Swisscom, Swisscom Root CA 2, Digital Certificate Services (77:47:4F:C6:30:E4:0F:4C:47:64:3F:84:BA:B8:C6:95:4A:8A:41:EC)
- Thawte Consulting cc, Thawte Premium Server CA, Certification Services Division (E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66)
- Thawte, Thawte Timestamping CA, Thawte Certification (20:CE:B1:F0:F5:1C:0E:19:A9:F3:8D:B1:AA:8E:03:8C:AA:7A:C7:01)
- The USERTRUST Network, UTN-USERFirst-Object, http://www.usertrust.com (E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46)
- VeriSign, Inc., Class 3 Public Primary Certification Authority (A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B)
- VeriSign, Inc., VeriSign Trust Network (c) 1998 VeriSign, Inc. - For authorized use only Class 2 Public Primary Certification Authority - G2 (B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D)
- VeriSign, Inc., VeriSign Trust Network (c) 1998 VeriSign, Inc. - For authorized use only Class 3 Public Primary Certification Authority - G2 (85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F)
Certificates that are on both lists
If you are using a certificate from one of these authorities, everything should be fine.
- AC Camerfirma S.A., Chambers of Commerce Root - 2008, (78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C)
- AC Camerfirma S.A., Global Chambersign Root - 2008, (4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C)
- AC Camerfirma SA CIF A82743287, Chambers of Commerce Root, http://www.chambersign.org (6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1)
- Actalis S.p.A./03358520967, Actalis Authentication Root CA, (F3:73:B3:87:06:5A:28:84:8A:F2:F3:4A:CE:19:2B:DD:C7:8E:9C:AC)
- AddTrust AB, AddTrust Class 1 CA Root, AddTrust TTP Network (CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D)
- AddTrust AB, AddTrust External CA Root, AddTrust External TTP Network (02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68)
- AffirmTrust, AffirmTrust Commercial, (F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7)
- AffirmTrust, AffirmTrust Networking, (29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F)
- AffirmTrust, AffirmTrust Premium ECC, (B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB)
- AffirmTrust, AffirmTrust Premium, (D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27)
- Amazon, Amazon Root CA 1, (8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16)
- Amazon, Amazon Root CA 2, (5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A)
- Amazon, Amazon Root CA 3, (0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E)
- Amazon, Amazon Root CA 4, (F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE)
- Baltimore, Baltimore CyberTrust Root, CyberTrust (D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74)
- Buypass AS-983163327, Buypass Class 2 Root CA, (49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99)
- Buypass AS-983163327, Buypass Class 3 Root CA, (DA:FA:F7:FA:66:84:EC:06:8F:14:50:BD:C7:C2:81:A5:BC:A9:64:57)
- Chunghwa Telecom Co., Ltd., ePKI Root Certification Authority (67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0)
- Comodo CA Limited, AAA Certificate Services, (D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49)
- COMODO CA Limited, COMODO ECC Certification Authority, (9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11)
- COMODO CA Limited, COMODO RSA Certification Authority, (AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4)
- D-Trust GmbH, D-TRUST Root Class 3 CA 2 2009, (58:E8:AB:B0:36:15:33:FB:80:F7:9B:1B:6D:29:D3:FF:8D:5F:00:F0)
- D-Trust GmbH, D-TRUST Root Class 3 CA 2 EV 2009, (96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83)
- DigiCert Inc, DigiCert Assured ID Root CA, www.digicert.com (05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43)
- DigiCert Inc, DigiCert Assured ID Root G2, www.digicert.com (A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F)
- DigiCert Inc, DigiCert Assured ID Root G3, www.digicert.com (F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89)
- DigiCert Inc, DigiCert Global Root CA, www.digicert.com (A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36)
- DigiCert Inc, DigiCert Global Root G2, www.digicert.com (DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4)
- DigiCert Inc, DigiCert Global Root G3, www.digicert.com (7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E)
- DigiCert Inc, DigiCert High Assurance EV Root CA, www.digicert.com (5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25)
- DigiCert Inc, DigiCert Trusted Root G4, www.digicert.com (DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4)
- DST Root CA X3, (DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13)
- Entrust, Inc., Entrust Root Certification Authority - EC1, (c) 2012 Entrust, Inc. - for authorized use only See www.entrust.net/legal-terms (20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47)
- Entrust, Inc., Entrust Root Certification Authority - G2, (c) 2009 Entrust, Inc. - for authorized use only See www.entrust.net/legal-terms (8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4)
- Entrust, Inc., Entrust Root Certification Authority, (c) 2006 Entrust, Inc. www.entrust.net/CPS is incorporated by reference (B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9)
- Entrust.net Certification Authority (2048), (c) 1999 Entrust.net Limited www.entrust.net/CPS_2048 incorp. by ref. (limits liab.) (50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31)
- GeoTrust Inc., GeoTrust Global CA, (DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12)
- GeoTrust Inc., GeoTrust Primary Certification Authority - G2, (c) 2007 GeoTrust Inc. - For authorized use only (8D:17:84:D5:37:F3:03:7D:EC:70:FE:57:8B:51:9A:99:E6:10:D7:B0)
- GeoTrust Inc., GeoTrust Primary Certification Authority - G3, (c) 2008 GeoTrust Inc. - For authorized use only (03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD)
- GeoTrust Inc., GeoTrust Primary Certification Authority, (32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96)
- GeoTrust Inc., GeoTrust Universal CA, (E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79)
- GlobalSign nv-sa, GlobalSign Root CA, Root CA (B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C)
- GlobalSign, GlobalSign, (1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA)
- GlobalSign, GlobalSign, (69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB)
- GlobalSign, GlobalSign, (75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE)
- GlobalSign, GlobalSign, (80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1)
- GlobalSign, GlobalSign, (D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD)
- GoDaddy.com, Inc., Go Daddy Root Certificate Authority - G2, (47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B)
- IdenTrust, IdenTrust Commercial Root CA 1, (DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25)
- IdenTrust, IdenTrust Public Sector Root CA 1, (BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD)
- Internet Security Research Group, ISRG Root X1, (CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8)
- LuxTrust S.A., LuxTrust Global Root 2, (1E:0E:56:19:0A:D1:8B:25:98:B2:04:44:FF:66:8A:04:17:99:5F:3F)
- QuoVadis Limited, QuoVadis Root CA 1 G3, (1B:8E:EA:57:96:29:1A:C9:39:EA:B8:0A:81:1A:73:73:C0:93:79:67)
- QuoVadis Limited, QuoVadis Root CA 2 G3, (09:3C:61:F3:8B:8B:DC:7D:55:DF:75:38:02:05:00:E1:25:F5:C8:36)
- QuoVadis Limited, QuoVadis Root CA 2, (CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7)
- QuoVadis Limited, QuoVadis Root CA 3 G3, (48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D)
- QuoVadis Limited, QuoVadis Root CA 3, (1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85)
- QuoVadis Limited, QuoVadis Root Certification Authority, Root Certification Authority (DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9)
- SECOM Trust Systems CO.,LTD., Security Communication RootCA2 (5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74)
- SECOM Trust.net, Security Communication RootCA1 (36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7)
- SecureTrust Corporation, SecureTrust CA, (87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11)
- Sonera, Sonera Class2 CA, (37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27)
- Starfield Technologies, Inc., Starfield Class 2 Certification Authority (AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A)
- Starfield Technologies, Inc., Starfield Root Certificate Authority - G2, (B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E)
- Starfield Technologies, Inc., Starfield Services Root Certificate Authority - G2, (92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F)
- SwissSign AG, SwissSign Gold CA - G2, (D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61)
- SwissSign AG, SwissSign Platinum CA - G2, (56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66)
- SwissSign AG, SwissSign Silver CA - G2, (9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB)
- T-Systems Enterprise Services GmbH, T-TeleSec GlobalRoot Class 2, T-Systems Trust Center (59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9)
- T-Systems Enterprise Services GmbH, T-TeleSec GlobalRoot Class 3, T-Systems Trust Center (55:A6:72:3E:CB:F2:EC:CD:C3:23:74:70:19:9D:2A:BE:11:E3:81:D1)
- TeliaSonera Root CA v1, (43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37)
- thawte, Inc., thawte Primary Root CA - G2, (c) 2007 thawte, Inc. - For authorized use only (AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12)
- thawte, Inc., thawte Primary Root CA - G3, (c) 2008 thawte, Inc. - For authorized use only Certification Services Division (F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2)
- thawte, Inc., thawte Primary Root CA, (c) 2006 thawte, Inc. - For authorized use only Certification Services Division (91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81)
- The Go Daddy Group, Inc., Go Daddy Class 2 Certification Authority (27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4)
- The USERTRUST Network, USERTrust ECC Certification Authority, (D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0)
- The USERTRUST Network, USERTrust RSA Certification Authority, (2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E)
- Unizeto Sp. z o.o., Certum CA, (62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18)
- Unizeto Technologies S.A., Certum Trusted Network CA, Certum Certification Authority (07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E)
- VeriSign, Inc., VeriSign Class 3 Public Primary Certification Authority - G3, (c) 1999 VeriSign, Inc. - For authorized use only VeriSign Trust Network (13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6)
- VeriSign, Inc., VeriSign Class 3 Public Primary Certification Authority - G4, (c) 2007 VeriSign, Inc. - For authorized use only VeriSign Trust Network (22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A)
- VeriSign, Inc., VeriSign Class 3 Public Primary Certification Authority - G5, (c) 2006 VeriSign, Inc. - For authorized use only VeriSign Trust Network (4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5)
- VeriSign, Inc., VeriSign Universal Root Certification Authority, (c) 2008 VeriSign, Inc. - For authorized use only VeriSign Trust Network (36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54)
- XRamp Security Services Inc, XRamp Global Certification Authority, www.xrampsecurity.com (B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6)