Page MenuHomeFreeBSD

caroot: Regenerate
AcceptedPublic

Authored by des on Aug 25 2025, 10:07 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 8, 9:26 PM
Unknown Object (File)
Fri, Oct 3, 5:59 PM
Unknown Object (File)
Fri, Oct 3, 5:07 PM
Unknown Object (File)
Sun, Sep 28, 5:46 AM
Unknown Object (File)
Thu, Sep 25, 10:29 AM
Unknown Object (File)
Tue, Sep 23, 4:59 PM
Unknown Object (File)
Mon, Sep 22, 5:38 PM
Unknown Object (File)
Sep 12 2025, 8:04 PM
Subscribers

Details

Reviewers
allanjude
mandree
michaelo
Group Reviewers
security
Summary
  • 3 new trusted certificates
  • 1 trusted certificate expired
  • 23 new untrusted certificates
  • 7 certificates moved from trusted to untrusted

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 66552
Build 63435: arc lint + arc unit

Event Timeline

des requested review of this revision.Aug 25 2025, 10:07 PM

The last time I worked on this I checked every untrusted CA whether the it is authentic because there could be a change in the format and our script didn't notice. ran the current bundle from curl (https://curl.se/docs/caextract.html) and our output by Copilot. They don't match:

Thanks for the detailed list! I checked the [Mozilla CA bundle used by curl](https://curl.se/ca/cacert.pem)and compared it against your list. Here's a summary of **mismatches**—certificates you marked as **Trusted** or **Untrusted** that **do not appear** in the Mozilla bundle:

---

### ❌ Marked as Trusted but **Not Found** in Mozilla Bundle

These are **missing** from `cacert.pem` despite being marked as "Trusted":

- **AC RAIZ FNMT-RCM**
- **AC RAIZ FNMT-RCM SERVIDORES SEGUROS**
- **Atos TrustedRoot 2011**
- **Autoridad de Certificacion Firmaprofesional CIF A62634068**
- **Certum EC-384 CA**
- **Certum Trusted Network CA**
- **Certum Trusted Network CA 2**
- **Certum Trusted Root CA**
- **CommScope Public Trust ECC Root-01**
- **CommScope Public Trust ECC Root-02**
- **CommScope Public Trust RSA Root-01**
- **CommScope Public Trust RSA Root-02**
- **D-TRUST BR Root CA 1 2020**
- **D-TRUST BR Root CA 2 2023**
- **D-TRUST EV Root CA 1 2020**
- **D-TRUST EV Root CA 2 2023**
- **D-TRUST Root Class 3 CA 2 EV 2009**
- **DigiCert TLS ECC P384 Root G5**
- **DigiCert TLS RSA4096 Root G5**
- **GlobalSign ECC Root CA - R4**
- **GlobalSign ECC Root CA - R5**
- **GlobalSign Root CA - R6**
- **GlobalSign Root E46**
- **GlobalSign Root R46**
- **HARICA TLS ECC Root CA 2021**
- **HARICA TLS RSA Root CA 2021**
- **HiPKI Root CA - G1**
- **Hongkong Post Root CA 3**
- **NAVER Global Root Certification Authority**
- **OISTE WISeKey Global Root GB CA**
- **OISTE WISeKey Global Root GC CA**
- **QuoVadis Root CA 1 G3**
- **QuoVadis Root CA 2 G3**
- **QuoVadis Root CA 3 G3**
- **Secure Global CA**
- **SecureSign Root CA12**
- **SecureSign Root CA14**
- **SecureSign Root CA15**
- **Security Communication ECC RootCA1**
- **Security Communication RootCA2**
- **SSL.com EV Root Certification Authority ECC**
- **SSL.com EV Root Certification Authority RSA R2**
- **SSL.com Root Certification Authority ECC**
- **SSL.com Root Certification Authority RSA**
- **SSL.com TLS ECC Root CA 2022**
- **SSL.com TLS RSA Root CA 2022**
- **SwissSign Gold CA - G2**
- **SwissSign RSA TLS Root CA 2022 - 1**
- **SZAFIR ROOT CA2**
- **T-TeleSec GlobalRoot Class 2**
- **T-TeleSec GlobalRoot Class 3**
- **Telekom Security TLS ECC Root 2020**
- **Telekom Security TLS RSA Root 2023**
- **TrustAsia Global Root CA G3**
- **TrustAsia Global Root CA G4**
- **TrustAsia TLS ECC Root CA**
- **TrustAsia TLS RSA Root CA**
- **Trustwave Global ECC P256 Certification Authority**
- **Trustwave Global ECC P384 Certification Authority**
- **TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1**
- **TunTrust Root CA**
- **TWCA CYBER Root CA**
- **TWCA Global Root CA**
- **TWCA Root Certification Authority**
- **UCA Extended Validation Root**
- **UCA Global G2 Root**
- **vTrus ECC Root CA**
- **vTrus Root CA**

---

### ❌ Marked as Untrusted but **Found** in Mozilla Bundle

These are **present** in `cacert.pem` despite being marked "Untrusted":

- **COMODO Certification Authority**
- **COMODO ECC Certification Authority**
- **COMODO RSA Certification Authority**
- **DigiCert Assured ID Root CA**
- **DigiCert Global Root CA**
- **DigiCert High Assurance EV Root CA**
- **Entrust Root Certification Authority**
- **Entrust Root Certification Authority - EC1**
- **Entrust Root Certification Authority - G2**
- **GlobalSign Root CA - R3**
- **Go Daddy Root Certificate Authority - G2**
- **Starfield Root Certificate Authority - G2**
- **Starfield Services Root Certificate Authority - G2**
- **SecureTrust CA**

---

Let me know if you'd like a filtered list of only the **missing** or **unexpectedly present** certificates, or if you want to automate this comparison in a script.

This really needs some manual validation...

The last time I worked on this I checked every untrusted CA whether the it is authentic because there could be a change in the format and our script didn't notice. ran the current bundle from curl (https://curl.se/docs/caextract.html) and our output by Copilot.

I didn't bother reading beyond this point.

I did check this thoroughly. Eight formerly trusted certificates are no longer trusted. “Baltimore CyberTrust Root” has expired and was dropped outright. The other seven moved to untrusted: “GLOBALTRUST 2020” had a “distrust after” date which has now passed, and Mozilla switched the remaining six from “trusted delegator” to “must verify”, cf. Mozilla bug 1957685.

In D52158#1191948, @des wrote:

The last time I worked on this I checked every untrusted CA whether the it is authentic because there could be a change in the format and our script didn't notice. ran the current bundle from curl (https://curl.se/docs/caextract.html) and our output by Copilot.

I didn't bother reading beyond this point.

I did check this thoroughly. Eight formerly trusted certificates are no longer trusted. “Baltimore CyberTrust Root” has expired and was dropped outright. The other seven moved to untrusted: “GLOBALTRUST 2020” had a “distrust after” date which has now passed, and Mozilla switched the remaining six from “trusted delegator” to “must verify”, cf. Mozilla bug 1957685.

I went through, cross-checked. The change looks fine, but needs:

  • MFC to 14 and 13
  • Request SA to have it patched for current RELEASE builds (I did request last time and it worked well)
This revision is now accepted and ready to land.Aug 27 2025, 7:39 AM

You need to update ObsoleteFiles.inc as well, no?

This revision now requires changes to proceed.Aug 27 2025, 7:48 AM

You can completely remove: untrusted/Explicitly_Distrust_DigiNotar_Root_CA.pem: Not After : Mar 31 18:19:22 2025 GMT

des edited the summary of this revision. (Show Details)

update

You also forgot to delete the expired distrusted one.

This review also contains, unfortunately from the OpenSSL bump, a lot of noise.

ObsoleteFiles.inc
63

Why do I count eight, but seven are documented?

des marked an inline comment as done.Aug 27 2025, 11:20 AM
des added inline comments.
ObsoleteFiles.inc
63

I've already given you the detailed breakdown.

des marked an inline comment as done.Aug 27 2025, 11:21 AM

I am fine with the change as long as this is met: https://reviews.freebsd.org/D52158#1192019

This revision is now accepted and ready to land.Sep 3 2025, 2:40 PM