From Fedora Project Wiki

No edit summary
No edit summary
Line 1: Line 1:
This is the home page for the ca-certificates.rpm package included in Fedora. It contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.
== This is the home page for the ca-certificates.rpm package included in Fedora. It contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI. ==


For the upstream project, see:
For the upstream project, see:
Line 18: Line 18:


----
----
== Changes in Version 2.1 ==


Below is the list of CAs that had trust removed in the upstream list version 2.1, but which are kept included in the Fedora package. (See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1144808 )
Below is the list of CAs that had trust removed in the upstream list version 2.1, but which are kept included in the Fedora package. (See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1144808 )

Revision as of 14:00, 21 November 2014

This is the home page for the ca-certificates.rpm package included in Fedora. It contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.

For the upstream project, see:

The purpose of this page is to document and explain changes that Fedora applies on top of the upstream project.


Starting with version 2.1 of the package, the set of certificates trusted by default differs from the upstream project, for compatibility reasons.

Certain CA certificates are kept trusted, in order to ensure compatibility for software that cannot automatically find alternative trust chains, such as OpenSSL. See also this tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1166614

Note that users/administrators can make use of the ca-legacy command, which changes a systemwide configuration. By executing the command "ca-legacy disable" with root permissions, the Fedora specific modifications will be disabled, and the trust as defined by the upstream Mozilla project is used.

Please note that a CA has three independent trust flags, for web sites (TLS) trust, for email protection (e.g. S/MIME), and for code signing. Any combination to the trust flags is possible. For example, a CA might have it's trust for TLS removed, if the CA claims that all customers have had the chance to be migrated to a different set of root CA certificates, but the same CA certificate might still be trusted for email protection.


Changes in Version 2.1

Below is the list of CAs that had trust removed in the upstream list version 2.1, but which are kept included in the Fedora package. (See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1144808 )

  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
 
  • Verisign Class 2 Public Primary Certification Authority - G2
    • legacy trust: email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
 
  • ValiCert Class 1 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Fri Jun 25 22:23:48 1999
 # Not Valid After : Tue Jun 25 22:23:48 2019
 # Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
 # Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
 
  • ValiCert Class 2 VA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:19:54 1999
 # Not Valid After : Wed Jun 26 00:19:54 2019
 # Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
 # Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
 
  • RSA Root Certificate 1
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Serial Number: 1 (0x1)
 # Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
 # Not Valid Before: Sat Jun 26 00:22:33 1999
 # Not Valid After : Wed Jun 26 00:22:33 2019
 # Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
 # Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
 
  • Entrust.net Secure Server CA
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): (none)
 # Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Serial Number: 927650371 (0x374ad243)
 # Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
 # Not Valid Before: Tue May 25 16:09:40 1999
 # Not Valid After : Sat May 25 16:39:40 2019
 # Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
 # Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
 
  • Verisign Class 3 Public Primary Certification Authority
    • legacy trust: tls, email, codesigning
    • latest trust (if legacy disabled): email
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Wed Aug 02 23:59:59 2028
 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B