# Author: JP Donnio # Contact: tag-nss-restrict-ca@tbs-internet.com # http://www.tbs-certificats.com/ # # Doc at: http://www.tbs-certificats.com/ssl/nss_tools_crl_ca_control.html # # Version: 1.1 # Date: 2009-07-22 # # File used by nss_restrict_ca # # updated against NSS 3.11 libnssckbi.so # # Format: CN\tflags # which means: CA's CN field, a tab, NSS trust flags # # all commented-out items will be disabled in the database # so just add entries for CAs you trust # # comments are added to document changes we made. # Typically, all domain-validated roots are disabled, unknown CAs (to us) too # # we advise to add the CRLs of all roots your trust in nss_update_crl.list # whenever you add an item here # # Verisign/RSA Secure Server CA CG,C, #expired#GTE CyberTrust Root CA CG,C,C GTE CyberTrust Global Root CG,C,C Thawte Personal Basic CA ,C,C Thawte Personal Premium CA ,C,C Thawte Personal Freemail CA ,C, #domain-validated#Thawte Server CA cG,,c Thawte Premium Server CA CG,,C #domain-validated#Equifax Secure CA C,C,C #unknown#ABAecom (sub., Am. Bankers Assn.) Root CA CG,C,C #unknown#Digital Signature Trust Co. Global CA 1 CG,C,C #unknown#Digital Signature Trust Co. Global CA 3 CG,C,C #unknown#Digital Signature Trust Co. Global CA 2 CG,C,C #unknown#Digital Signature Trust Co. Global CA 4 CG,C,C Verisign Class 1 Public Primary Certification Authority ,C, Verisign Class 2 Public Primary Certification Authority ,C,C Verisign Class 3 Public Primary Certification Authority CG,C,C Verisign Class 1 Public Primary Certification Authority - G2 ,C, Verisign Class 2 Public Primary Certification Authority - G2 ,C,C Verisign Class 3 Public Primary Certification Authority - G2 C,C,C #no certs issued#Verisign Class 4 Public Primary Certification Authority - G2 CG,C,C #globalsign does domain-validated, so allow only email-certs GlobalSign Root CA c,C,c GlobalSign Root CA - R2 c,C,c #unknown#ValiCert Class 1 VA C,C,C #unknown#ValiCert Class 2 VA C,C,C #unknown#RSA Root Certificate 1 C,C,C Verisign Class 1 Public Primary Certification Authority - G3 ,C, Verisign Class 2 Public Primary Certification Authority - G3 ,C,C Verisign Class 3 Public Primary Certification Authority - G3 C,C,C #no certs issued#Verisign Class 4 Public Primary Certification Authority - G3 CG,C,C # Entrust only ok for SSL Entrust.net Secure Server CA CT,c,c #unknown#Entrust.net Secure Personal CA C,C,C #unknown#Entrust.net Premium 2048 Secure Server CA C,C,C #unknown#Baltimore CyberTrust Root C,C, #domain-validated#Equifax Secure Global eBusiness CA C,C,C #domain-validated#Equifax Secure eBusiness CA 1 C,C,C #domain-validated#Equifax Secure eBusiness CA 2 C,C,C #unknown#Visa International Global Root 2 C,C, #unknown#beTRUSTed Root CA C,C,C AddTrust Low-Value Services Root c,C,c # only used for SSL AddTrust External Root CT,c,c #unknown#AddTrust Public Services Root C,C,C # only used for code signing AddTrust Qualified Certificates Root c,c,C Verisign Time Stamping Authority CA C,C,C Thawte Time Stamping CA C,C,C #unknown#Entrust.net Global Secure Server CA C,C,C #unknown#Entrust.net Global Secure Personal CA C,C,C Entrust Root Certification Authority C,, #unknown#AOL Time Warner Root Certification Authority 1 C,C,C #unknown#AOL Time Warner Root Certification Authority 2 C,C,C #unknown#beTRUSTed Root CA-Baltimore Implementation C,C,C #unknown#beTRUSTed Root CA - Entrust Implementation C,C,C #unknown#beTRUSTed Root CA - RSA Implementation C,C,C #unknown#RSA Security 2048 v3 C,C,C #unknown#RSA Security 1024 v3 C,C,C #domain-validated#GeoTrust Global CA C,C,C #domain-validated#GeoTrust Global CA 2 C,C,C #domain-validated#GeoTrust Universal CA C,C,C #domain-validated#GeoTrust Universal CA 2 C,C,C #domain-validated#UTN-USER First-Network Applications C,C,C #unknown#America Online Root Certification Authority 1 C,C,C #unknown#America Online Root Certification Authority 2 C,C,C # # 20081201 for 3dsecure Visa eCommerce Root C,, #unknown#TC TrustCenter, Germany, Class 2 CA C,C,C #unknown#TC TrustCenter, Germany, Class 3 CA C,C,C #unknown#Certum Root CA C,C,C Comodo AAA Services root C,C,C Comodo Secure Services root C,C,C Comodo Trusted Services root C,C,C #unknown#IPS Chained CAs root C,C,C #unknown#IPS CLASE1 root C,C,C #unknown#IPS CLASE3 root C,C,C #unknown#IPS CLASEA1 root C,C,C #unknown#IPS CLASEA3 root C,C,C #unknown#IPS Servidores root C,C,C #unknown#IPS Timestamping root C,C,C #unknown#QuoVadis Root CA C,C,C #unknown#QuoVadis Root CA 2 C,C,C #unknown#QuoVadis Root CA 3 C,C,C #unknown#Security Communication Root CA C,C,C #unknown#Sonera Class 1 Root CA ,C, #unknown#Sonera Class 2 Root CA C,C,C #unknown#Staat der Nederlanden Root CA C,C,C #unknown#TDC Internet Root CA C,C,C #unknown#TDC OCES Root CA C,C,C UTN DATACorp SGC Root CA CT,C,c UTN USERFirst Email Root CA ,C, UTN USERFirst Hardware Root CA C,, UTN USERFirst Object Root CA ,,C #unknown#Camerfirma Chambers of Commerce Root C,C,C #unknown#Camerfirma Global Chambersign Root C,C,C #unknown#NetLock Qualified (Class QA) Root ,C,C #unknown#NetLock Notary (Class A) Root C,C,C #unknown#NetLock Business (Class B) Root C,C,C #unknown#NetLock Express (Class C) Root C,C,C #unknown#XRamp Global CA Root C,C,C #unknown#Go Daddy Class 2 CA C,C,C #unknown#Starfield Class 2 CA C,C,C #unknown#StartCom Ltd. C,C, #unknown#StartCom Certification Authority C,C, #unknown#Taiwan GRCA C,C,C #unknown#Firmaprofesional Root CA C,C, #unknown#Wells Fargo Root CA C,C,C #unknown#Swisscom Root CA 1 C,C,C #unknown#DigiCert Assured ID Root CA C,C, #unknown#DigiCert Global Root CA C,C, DigiCert High Assurance EV Root CA CT,C,c Certplus Class 2 Primary CA C,C, #unknown#DST Root CA X3 C,, #unknown#DST ACES CA X6 C,, #unknown#TURKTRUST Certificate Services Provider Root 1 C,C,C #unknown#TURKTRUST Certificate Services Provider Root 2 C,C,C #unknown#SwissSign Platinum CA - G2 ,C,C #unknown#SwissSign Gold CA - G2 C,C,C #unknown#SwissSign Silver CA - G2 C,C,C # no domain-validated out of it? GeoTrust Primary Certification Authority C,, # no domain-validated out of it? thawte Primary Root CA C,, VeriSign Class 3 Public Primary Certification Authority - G5 C,, #unknown#SecureTrust CA C,,C #unknown#Secure Global CA C,C,C # no domain-validated out of it? COMODO Certification Authority C,C,C COMODO ECC Certification Authority C,C,C #unknown#DigiNotar Root CA C,,C #unknown#Network Solutions Certificate Authority C,, # # local root additions # # note that NSS does not care if intermediate roots have no flags on, as long as there is a higher level cert in the DB with proper flags # this is pretty ANNOYING because it prevents from banning a sub-CA!!! # # alternate VS roots Verisign Class 1 Primary CA ,C, VeriSign Class 1 Primary CA ,C, Verisign Class 2 Primary CA ,C,C VeriSign Class 2 Primary CA ,C,C Verisign Class 3 Primary CA CG,C,C VeriSign Class 3 Primary CA CG,C,C #no certs issued#Verisign Class 4 Primary CA CG,C,C #no certs issued#VeriSign Class 4 Primary CA CG,C,C VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign, Inc. CT,c,c Verisign Secure Server OCSP Responder C,C,C Verisign Class 1 Public Primary OCSP Responder C,C,C Verisign Class 2 Public Primary OCSP Responder C,C,C Verisign Class 3 Public Primary OCSP Responder C,C,C #no certs issued#Verisign Class 4 Public Primary OCSP Responder C,C,C # # thawte intermediates Thawte Personal Freemail Issuing Key 1997.06.24 08:27 - Thawte Consulting c,C,c Thawte Personal Freemail RSA Issuing Key 1998.1.28 - Thawte Consulting c,C,c Thawte Personal Freemail RSA Issuing Key 1998.2.25 - Thawte Consulting c,C,c Thawte Personal Freemail RSA Issuer 1998.9.16 - Thawte Consulting c,C,c Personal Freemail RSA 1999.9.16 - Thawte Consulting c,C,c Personal Freemail RSA 2000.8.30 - Thawte Consulting c,C,c Thawte Personal Freemail Issuing CA - Thawte Consulting c,C,c thawte Primary Root CA - thawte, Inc. CT,c,c # CSF - Classe III - Sign et Crypt - Autorite Consulaire c,C,c ChamberSign France - Initio - CHAMBERSIGN FRANCE c,C,c # UTN-USERFirst-Client Authentication and Email - Comodo CA Limited c,C,c UTN-USERFirst-Client Authentication and Email - Comodo CA Limited c,C,c AddTrust Class 1 CA Root - The USERTRUST Network CT,C,c AddTrust Non-Validated Services Root c,C,c Comodo Class 3 Security Services CA - GTE Corporation CT,C,c # GlobalSign Class 2 CA - GlobalSign nv-sa c,C,c # # GOUV FR IGC/A C,C,C