Page MenuHomePhorge
Create Task
Maniphest T15051

default.pem in Arcanist is out of date - maybe remove it completely?
Closed, ResolvedPublic
Actions

Description

tldr

If your phorge install uses letsencrypt certs, and at any of your clients using arcanist are on centos, you will have this issue.

D25023 Implements a fix
https://github.com/willson556/phorge-devcontainer/pull/6 implements a fix in the phorge-devcontainer for those using this setup.

Issue

We noticed the issue as result of a

https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4

For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message.

In essence, using Arcanist on Centos 7 or 8 no longer works and it seems to be because arcanist is grabbing its own default.pem file which is located here

Note that on Ubuntu, updating the ca-certificates package resolves the issue. However, on Centos we did the suggested update, but arcanist is still for some reason using this old pem file. We don't why that is yet, but, regardless, this file should probably be update as it is 5 years out of date.

https://we.phorge.it/source/arcanist/browse/master/resources/ssl/

The last updated date is Certificate data from Mozilla as of: Wed Jan 20 04:12:04 2016

We should update this fallback file to the latest .pem from https://curl.se/docs/caextract.html

Reproduce

Run this command - And it will fail

curl -v --cacert /path/to/arcanist/resources/ssl/default.pem https://letsencrypt.org/

Revisions and Commits

rARC Arcanist
ClosedD25049 Update the extracted cURL SSL CA bundle
AbandonedD25023 Updated Arcanist default.pem with the most recent one from Mozilla

Related Objects

Event Timeline

Ekubischta created this task.Sep 30 2021, 21:26
Herald added subscribers: chris, speck, tobiaswiese, eax. · View Herald TranscriptSep 30 2021, 21:26
Ekubischta updated the task description. (Show Details)Sep 30 2021, 21:27
Ekubischta updated the task description. (Show Details)Oct 4 2021, 13:24
Ekubischta added a revision: D25023: Updated Arcanist default.pem with the most recent one from Mozilla.Oct 4 2021, 13:34
Ekubischta updated the task description. (Show Details)Oct 4 2021, 13:49
Ekubischta mentioned this in T15052: Deal with DST_Root_CA_X3 expiry (Let's Encrypt).Oct 6 2021, 16:06
valerio.bozzolan subscribed.Oct 13 2021, 16:00

A friend of mine is able to reproduce this error on an updated Fedora 34 as well.

Deploying the new pem as described in the related D25023 fixed the issue.

Ekubischta added a comment.Oct 26 2021, 14:44

Adding for refs https://discourse.phabricator-community.org/t/arc-blind-trusting-domains-and-cert-errors/4980/4

golyalpha subscribed.Oct 27 2021, 13:15

What was the original rationale behind shipping a certificate bundle with Arcanist? It may be better to rely on the system certificate bundle instead (that also tends to have certificates from, for example, internal company issuers as well).

Ekubischta added a comment.Oct 27 2021, 13:39

This is what the README says - And maybe we should remove support for the default.pem altogether? (But, possibly leave support for custom.pem)

https://we.phorge.it/source/arcanist/browse/master/resources/ssl/README;4230292997cef41ae2ec3259db009ce372b9ae79?as=remarkup

This document describes how to set Certificate Authority information.
Usually, you need to do this only if you're using a self-signed certificate.

OSX after Yosemite

If you're using a version of Mac OSX after Yosemite, you can not configure
certificates from the command line. All libphutil and arcanist options
related to CA configuration are ignored.

Instead, you need to add them to the system keychain. The easiest way to do this
is to visit the site in Safari and choose to permanently accept the certificate.

You can also use security add-trusted-cert from the command line.

All Other Systems

If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the
option was introduced), libphutil uses the "default.pem" certificate authority
bundle when making HTTPS requests with cURL. This bundle is extracted from
Mozilla's certificates by cURL:

http://curl.haxx.se/docs/caextract.html

If you want to use a different CA bundle (for example, because you use
self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer,
or create a file (or symlink) in this directory named "custom.pem".

If "custom.pem" is present, that file will be used instead of "default.pem".

If you receive errors using your "custom.pem" file, you can test it directly
with curl by running a command like this:

curl -v --cacert path/to/your/custom.pem https://phabricator.example.com/

Replace "path/to/your/custom.pem" with the path to your "custom.pem" file,
and replace "https://phabricator.example.com" with the real URL of your
Phabricator install.

The initial lines of output from curl should give you information about the
SSL handshake and certificate verification, which may be helpful in resolving
the issue.

golyalpha added a comment.EditedOct 27 2021, 13:50

+1 to removing default.pem
/shrug on keeping custom.pem

Adding custom certificates to the system bundle on Linux is easy enough and usually necessary anyways, so if it takes additional work to keep custom.pem, I'd just drop it.

I also noticed that some of the technical issues (existence of curl.cainfo) would be resolved by T15047

rraval subscribed.Oct 29 2021, 18:21
speck added a comment.Dec 1 2021, 16:32

I think updating the current pem file is a good holdover patch for now (sorry for the delay in reviewing the change). Re-working how arcanist manages certs is something we can look at addressing long-term.

taavi added a project: Arcanist (archived).Mar 13 2022, 17:47
avivey subscribed.Aug 31 2022, 20:20

We've picked up an updated version of the pem at https://secure.phabricator.com/D21739 - it's not the latest, but is it recent enough?

avivey renamed this task from default.pem in Arcanist is out of date to default.pem in Arcanist is out of date - maybe remove it completely?.Aug 31 2022, 20:21
jacques subscribed.EditedSep 1 2022, 15:45

I submitted D25049 for review on the 26th to address certs signed by the ISRG Root X2 root that is in the updated default.pem file.

jacques added a comment.Sep 1 2022, 15:46

@avivey the one in upstream does not contain the new ISRG Root X2 CA.

pasik subscribed.Sep 20 2022, 19:57
Herald added a subscriber: Cigaryno. · View Herald TranscriptSep 20 2022, 19:57
avivey edited projects, added Arcanist; removed Arcanist (archived).Apr 6 2023, 10:31
valerio.bozzolan added a revision: D25049: Update the extracted cURL SSL CA bundle.Jun 17 2023, 15:26
valerio.bozzolan closed this task as Resolved.Jun 17 2023, 15:32
valerio.bozzolan assigned this task to jacques.

I think we can consider this as resolved by our dear @jacques since I just tried and it finally works ✨

curl -v --cacert arcanist/resources/ssl/default.pem https://letsencrypt.org/

The process to update this file again is quite simple - now that we know how to do it.

Maybe we can just re-open this task the next time it expires (probably in year 2025).

P17 CA bundle 2023 expirations
1
2GlobalSign Root CA
3Identity: GlobalSign Root CA
4Verified by: GlobalSign Root CA
5Expires: 28/01/2028
6
7
8
9Entrust.net Certification Authority (2048)
10Identity: Entrust.net Certification Authority (2048)
11Verified by: Entrust.net Certification Authority (2048)
12Expires: 24/07/2029
13
14
15
16Baltimore CyberTrust Root
17Identity: Baltimore CyberTrust Root
18Verified by: Baltimore CyberTrust Root
19Expires: 13/05/2025
20
21
22
23Entrust Root Certification Authority
24Identity: Entrust Root Certification Authority
25Verified by: Entrust Root Certification Authority
26Expires: 27/11/2026
27
28
29
30AAA Certificate Services
31Identity: AAA Certificate Services
32Verified by: AAA Certificate Services
33Expires: 31/12/2028
34
35
36
37QuoVadis Root CA 2
38Identity: QuoVadis Root CA 2
39Verified by: QuoVadis Root CA 2
40Expires: 24/11/2031
41
42
43
44QuoVadis Root CA 3
45Identity: QuoVadis Root CA 3
46Verified by: QuoVadis Root CA 3
47Expires: 24/11/2031
48
49
50
51default.pem
52Identity
53Verified by
54Expires: 30/09/2023
55
56
57
58XRamp Global Certification Authority
59Identity: XRamp Global Certification Authority
60Verified by: XRamp Global Certification Authority
61Expires: 01/01/2035
62
63
64
65default.pem
66Identity
67Verified by
68Expires: 29/06/2034
69
70
71
72default.pem
73Identity
74Verified by
75Expires: 29/06/2034
76
77
78
79DigiCert Assured ID Root CA
80Identity: DigiCert Assured ID Root CA
81Verified by: DigiCert Assured ID Root CA
82Expires: 10/11/2031
83
84
85
86DigiCert Global Root CA
87Identity: DigiCert Global Root CA
88Verified by: DigiCert Global Root CA
89Expires: 10/11/2031
90
91
92
93DigiCert High Assurance EV Root CA
94Identity: DigiCert High Assurance EV Root CA
95Verified by: DigiCert High Assurance EV Root CA
96Expires: 10/11/2031
97
98
99
100SwissSign Gold CA - G2
101Identity: SwissSign Gold CA - G2
102Verified by: SwissSign Gold CA - G2
103Expires: 25/10/2036
104
105
106
107SwissSign Silver CA - G2
108Identity: SwissSign Silver CA - G2
109Verified by: SwissSign Silver CA - G2
110Expires: 25/10/2036
111
112
113
114SecureTrust CA
115Identity: SecureTrust CA
116Verified by: SecureTrust CA
117Expires: 31/12/2029
118
119
120
121Secure Global CA
122Identity: Secure Global CA
123Verified by: Secure Global CA
124Expires: 31/12/2029
125
126
127
128COMODO Certification Authority
129Identity: COMODO Certification Authority
130Verified by: COMODO Certification Authority
131Expires: 31/12/2029
132
133
134
135Network Solutions Certificate Authority
136Identity: Network Solutions Certificate Authority
137Verified by: Network Solutions Certificate Authority
138Expires: 31/12/2029
139
140
141
142COMODO ECC Certification Authority
143Identity: COMODO ECC Certification Authority
144Verified by: COMODO ECC Certification Authority
145Expires: 18/01/2038
146
147
148
149Certigna
150Identity: Certigna
151Verified by: Certigna
152Expires: 29/06/2027
153
154
155
156default.pem
157Identity
158Verified by
159Expires: 20/12/2034
160
161
162
163default.pem
164Identity
165Verified by
166Expires: 04/07/2031
167
168
169
170NetLock Arany (Class Gold) Főtanúsítvány
171Identity: NetLock Arany (Class Gold) Főtanúsítvány
172Verified by: NetLock Arany (Class Gold) Főtanúsítvány
173Expires: 06/12/2028
174
175
176
177Hongkong Post Root CA 1
178Identity: Hongkong Post Root CA 1
179Verified by: Hongkong Post Root CA 1
180Expires: 15/05/2023
181
182
183
184SecureSign RootCA11
185Identity: SecureSign RootCA11
186Verified by: SecureSign RootCA11
187Expires: 08/04/2029
188
189
190
191Microsec e-Szigno Root CA 2009
192Identity: Microsec e-Szigno Root CA 2009
193Verified by: Microsec e-Szigno Root CA 2009
194Expires: 30/12/2029
195
196
197
198GlobalSign
199Identity: GlobalSign
200Verified by: GlobalSign
201Expires: 18/03/2029
202
203
204
205Autoridad de Certificacion Firmaprofesional CIF A62634068
206Identity: Autoridad de Certificacion Firmaprofesional CIF A62634068
207Verified by: Autoridad de Certificacion Firmaprofesional CIF A62634068
208Expires: 31/12/2030
209
210
211
212Izenpe.com
213Identity: Izenpe.com
214Verified by: Izenpe.com
215Expires: 13/12/2037
216
217
218
219Go Daddy Root Certificate Authority - G2
220Identity: Go Daddy Root Certificate Authority - G2
221Verified by: Go Daddy Root Certificate Authority - G2
222Expires: 31/12/2037
223
224
225
226Starfield Root Certificate Authority - G2
227Identity: Starfield Root Certificate Authority - G2
228Verified by: Starfield Root Certificate Authority - G2
229Expires: 31/12/2037
230
231
232
233Starfield Services Root Certificate Authority - G2
234Identity: Starfield Services Root Certificate Authority - G2
235Verified by: Starfield Services Root Certificate Authority - G2
236Expires: 31/12/2037
237
238
239
240AffirmTrust Commercial
241Identity: AffirmTrust Commercial
242Verified by: AffirmTrust Commercial
243Expires: 31/12/2030
244
245
246
247AffirmTrust Networking
248Identity: AffirmTrust Networking
249Verified by: AffirmTrust Networking
250Expires: 31/12/2030
251
252
253
254AffirmTrust Premium
255Identity: AffirmTrust Premium
256Verified by: AffirmTrust Premium
257Expires: 31/12/2040
258
259
260
261AffirmTrust Premium ECC
262Identity: AffirmTrust Premium ECC
263Verified by: AffirmTrust Premium ECC
264Expires: 31/12/2040
265
266
267
268Certum Trusted Network CA
269Identity: Certum Trusted Network CA
270Verified by: Certum Trusted Network CA
271Expires: 31/12/2029
272
273
274
275TWCA Root Certification Authority
276Identity: TWCA Root Certification Authority
277Verified by: TWCA Root Certification Authority
278Expires: 31/12/2030
279
280
281
282default.pem
283Identity
284Verified by
285Expires: 29/05/2029
286
287
288
289Actalis Authentication Root CA
290Identity: Actalis Authentication Root CA
291Verified by: Actalis Authentication Root CA
292Expires: 22/09/2030
293
294
295
296Buypass Class 2 Root CA
297Identity: Buypass Class 2 Root CA
298Verified by: Buypass Class 2 Root CA
299Expires: 26/10/2040
300
301
302
303Buypass Class 3 Root CA
304Identity: Buypass Class 3 Root CA
305Verified by: Buypass Class 3 Root CA
306Expires: 26/10/2040
307
308
309
310T-TeleSec GlobalRoot Class 3
311Identity: T-TeleSec GlobalRoot Class 3
312Verified by: T-TeleSec GlobalRoot Class 3
313Expires: 02/10/2033
314
315
316
317D-TRUST Root Class 3 CA 2 2009
318Identity: D-TRUST Root Class 3 CA 2 2009
319Verified by: D-TRUST Root Class 3 CA 2 2009
320Expires: 05/11/2029
321
322
323
324D-TRUST Root Class 3 CA 2 EV 2009
325Identity: D-TRUST Root Class 3 CA 2 EV 2009
326Verified by: D-TRUST Root Class 3 CA 2 EV 2009
327Expires: 05/11/2029
328
329
330
331CA Disig Root R2
332Identity: CA Disig Root R2
333Verified by: CA Disig Root R2
334Expires: 19/07/2042
335
336
337
338ACCVRAIZ1
339Identity: ACCVRAIZ1
340Verified by: ACCVRAIZ1
341Expires: 31/12/2030
342
343
344
345TWCA Global Root CA
346Identity: TWCA Global Root CA
347Verified by: TWCA Global Root CA
348Expires: 31/12/2030
349
350
351
352TeliaSonera Root CA v1
353Identity: TeliaSonera Root CA v1
354Verified by: TeliaSonera Root CA v1
355Expires: 18/10/2032
356
357
358
359E-Tugra Certification Authority
360Identity: E-Tugra Certification Authority
361Verified by: E-Tugra Certification Authority
362Expires: 03/03/2023
363
364
365
366T-TeleSec GlobalRoot Class 2
367Identity: T-TeleSec GlobalRoot Class 2
368Verified by: T-TeleSec GlobalRoot Class 2
369Expires: 02/10/2033
370
371
372
373Atos TrustedRoot 2011
374Identity: Atos TrustedRoot 2011
375Verified by: Atos TrustedRoot 2011
376Expires: 31/12/2030
377
378
379
380QuoVadis Root CA 1 G3
381Identity: QuoVadis Root CA 1 G3
382Verified by: QuoVadis Root CA 1 G3
383Expires: 12/01/2042
384
385
386
387QuoVadis Root CA 2 G3
388Identity: QuoVadis Root CA 2 G3
389Verified by: QuoVadis Root CA 2 G3
390Expires: 12/01/2042
391
392
393
394QuoVadis Root CA 3 G3
395Identity: QuoVadis Root CA 3 G3
396Verified by: QuoVadis Root CA 3 G3
397Expires: 12/01/2042
398
399
400
401DigiCert Assured ID Root G2
402Identity: DigiCert Assured ID Root G2
403Verified by: DigiCert Assured ID Root G2
404Expires: 15/01/2038
405
406
407
408DigiCert Assured ID Root G3
409Identity: DigiCert Assured ID Root G3
410Verified by: DigiCert Assured ID Root G3
411Expires: 15/01/2038
412
413
414
415DigiCert Global Root G2
416Identity: DigiCert Global Root G2
417Verified by: DigiCert Global Root G2
418Expires: 15/01/2038
419
420
421
422DigiCert Global Root G3
423Identity: DigiCert Global Root G3
424Verified by: DigiCert Global Root G3
425Expires: 15/01/2038
426
427
428
429DigiCert Trusted Root G4
430Identity: DigiCert Trusted Root G4
431Verified by: DigiCert Trusted Root G4
432Expires: 15/01/2038
433
434
435
436COMODO RSA Certification Authority
437Identity: COMODO RSA Certification Authority
438Verified by: COMODO RSA Certification Authority
439Expires: 18/01/2038
440
441
442
443USERTrust RSA Certification Authority
444Identity: USERTrust RSA Certification Authority
445Verified by: USERTrust RSA Certification Authority
446Expires: 18/01/2038
447
448
449
450USERTrust ECC Certification Authority
451Identity: USERTrust ECC Certification Authority
452Verified by: USERTrust ECC Certification Authority
453Expires: 18/01/2038
454
455
456
457GlobalSign
458Identity: GlobalSign
459Verified by: GlobalSign
460Expires: 19/01/2038
461
462
463
464Staat der Nederlanden EV Root CA
465Identity: Staat der Nederlanden EV Root CA
466Verified by: Staat der Nederlanden EV Root CA
467Expires: 08/12/2022
468
469
470
471IdenTrust Commercial Root CA 1
472Identity: IdenTrust Commercial Root CA 1
473Verified by: IdenTrust Commercial Root CA 1
474Expires: 16/01/2034
475
476
477
478IdenTrust Public Sector Root CA 1
479Identity: IdenTrust Public Sector Root CA 1
480Verified by: IdenTrust Public Sector Root CA 1
481Expires: 16/01/2034
482
483
484
485Entrust Root Certification Authority - G2
486Identity: Entrust Root Certification Authority - G2
487Verified by: Entrust Root Certification Authority - G2
488Expires: 07/12/2030
489
490
491
492Entrust Root Certification Authority - EC1
493Identity: Entrust Root Certification Authority - EC1
494Verified by: Entrust Root Certification Authority - EC1
495Expires: 18/12/2037
496
497
498
499CFCA EV ROOT
500Identity: CFCA EV ROOT
501Verified by: CFCA EV ROOT
502Expires: 31/12/2029
503
504
505
506OISTE WISeKey Global Root GB CA
507Identity: OISTE WISeKey Global Root GB CA
508Verified by: OISTE WISeKey Global Root GB CA
509Expires: 01/12/2039
510
511
512
513SZAFIR ROOT CA2
514Identity: SZAFIR ROOT CA2
515Verified by: SZAFIR ROOT CA2
516Expires: 19/10/2035
517
518
519
520Certum Trusted Network CA 2
521Identity: Certum Trusted Network CA 2
522Verified by: Certum Trusted Network CA 2
523Expires: 06/10/2046
524
525
526
527Hellenic Academic and Research Institutions RootCA 2015
528Identity: Hellenic Academic and Research Institutions RootCA 2015
529Verified by: Hellenic Academic and Research Institutions RootCA 2015
530Expires: 30/06/2040
531
532
533
534Hellenic Academic and Research Institutions ECC RootCA 2015
535Identity: Hellenic Academic and Research Institutions ECC RootCA 2015
536Verified by: Hellenic Academic and Research Institutions ECC RootCA 2015
537Expires: 30/06/2040
538
539
540
541ISRG Root X1
542Identity: ISRG Root X1
543Verified by: ISRG Root X1
544Expires: 04/06/2035
545
546
547
548default.pem
549Identity
550Verified by
551Expires: 01/01/2030
552
553
554
555Amazon Root CA 1
556Identity: Amazon Root CA 1
557Verified by: Amazon Root CA 1
558Expires: 17/01/2038
559
560
561
562Amazon Root CA 2
563Identity: Amazon Root CA 2
564Verified by: Amazon Root CA 2
565Expires: 26/05/2040
566
567
568
569Amazon Root CA 3
570Identity: Amazon Root CA 3
571Verified by: Amazon Root CA 3
572Expires: 26/05/2040
573
574
575
576Amazon Root CA 4
577Identity: Amazon Root CA 4
578Verified by: Amazon Root CA 4
579Expires: 26/05/2040
580
581
582
583TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
584Identity: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
585Verified by: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
586Expires: 25/10/2043
587
588
589
590GDCA TrustAUTH R5 ROOT
591Identity: GDCA TrustAUTH R5 ROOT
592Verified by: GDCA TrustAUTH R5 ROOT
593Expires: 31/12/2040
594
595
596
597TrustCor RootCert CA-1
598Identity: TrustCor RootCert CA-1
599Verified by: TrustCor RootCert CA-1
600Expires: 31/12/2029
601
602
603
604TrustCor RootCert CA-2
605Identity: TrustCor RootCert CA-2
606Verified by: TrustCor RootCert CA-2
607Expires: 31/12/2034
608
609
610
611TrustCor ECA-1
612Identity: TrustCor ECA-1
613Verified by: TrustCor ECA-1
614Expires: 31/12/2029
615
616
617
618SSL.com Root Certification Authority RSA
619Identity: SSL.com Root Certification Authority RSA
620Verified by: SSL.com Root Certification Authority RSA
621Expires: 12/02/2041
622
623
624
625SSL.com Root Certification Authority ECC
626Identity: SSL.com Root Certification Authority ECC
627Verified by: SSL.com Root Certification Authority ECC
628Expires: 12/02/2041
629
630
631
632SSL.com EV Root Certification Authority RSA R2
633Identity: SSL.com EV Root Certification Authority RSA R2
634Verified by: SSL.com EV Root Certification Authority RSA R2
635Expires: 30/05/2042
636
637
638
639SSL.com EV Root Certification Authority ECC
640Identity: SSL.com EV Root Certification Authority ECC
641Verified by: SSL.com EV Root Certification Authority ECC
642Expires: 12/02/2041
643
644
645
646GlobalSign
647Identity: GlobalSign
648Verified by: GlobalSign
649Expires: 10/12/2034
650
651
652
653OISTE WISeKey Global Root GC CA
654Identity: OISTE WISeKey Global Root GC CA
655Verified by: OISTE WISeKey Global Root GC CA
656Expires: 09/05/2042
657
658
659
660UCA Global G2 Root
661Identity: UCA Global G2 Root
662Verified by: UCA Global G2 Root
663Expires: 31/12/2040
664
665
666
667UCA Extended Validation Root
668Identity: UCA Extended Validation Root
669Verified by: UCA Extended Validation Root
670Expires: 31/12/2038
671
672
673
674Certigna Root CA
675Identity: Certigna Root CA
676Verified by: Certigna Root CA
677Expires: 01/10/2033
678
679
680
681emSign Root CA - G1
682Identity: emSign Root CA - G1
683Verified by: emSign Root CA - G1
684Expires: 18/02/2043
685
686
687
688emSign ECC Root CA - G3
689Identity: emSign ECC Root CA - G3
690Verified by: emSign ECC Root CA - G3
691Expires: 18/02/2043
692
693
694
695emSign Root CA - C1
696Identity: emSign Root CA - C1
697Verified by: emSign Root CA - C1
698Expires: 18/02/2043
699
700
701
702emSign ECC Root CA - C3
703Identity: emSign ECC Root CA - C3
704Verified by: emSign ECC Root CA - C3
705Expires: 18/02/2043
706
707
708
709Hongkong Post Root CA 3
710Identity: Hongkong Post Root CA 3
711Verified by: Hongkong Post Root CA 3
712Expires: 03/06/2042
713
714
715
716Entrust Root Certification Authority - G4
717Identity: Entrust Root Certification Authority - G4
718Verified by: Entrust Root Certification Authority - G4
719Expires: 27/12/2037
720
721
722
723Microsoft ECC Root Certificate Authority 2017
724Identity: Microsoft ECC Root Certificate Authority 2017
725Verified by: Microsoft ECC Root Certificate Authority 2017
726Expires: 19/07/2042
727
728
729
730Microsoft RSA Root Certificate Authority 2017
731Identity: Microsoft RSA Root Certificate Authority 2017
732Verified by: Microsoft RSA Root Certificate Authority 2017
733Expires: 19/07/2042
734
735
736
737e-Szigno Root CA 2017
738Identity: e-Szigno Root CA 2017
739Verified by: e-Szigno Root CA 2017
740Expires: 22/08/2042
741
742
743
744default.pem
745Identity
746Verified by
747Expires: 06/02/2042
748
749
750
751Trustwave Global Certification Authority
752Identity: Trustwave Global Certification Authority
753Verified by: Trustwave Global Certification Authority
754Expires: 23/08/2042
755
756
757
758Trustwave Global ECC P256 Certification Authority
759Identity: Trustwave Global ECC P256 Certification Authority
760Verified by: Trustwave Global ECC P256 Certification Authority
761Expires: 23/08/2042
762
763
764
765Trustwave Global ECC P384 Certification Authority
766Identity: Trustwave Global ECC P384 Certification Authority
767Verified by: Trustwave Global ECC P384 Certification Authority
768Expires: 23/08/2042
769
770
771
772NAVER Global Root Certification Authority
773Identity: NAVER Global Root Certification Authority
774Verified by: NAVER Global Root Certification Authority
775Expires: 19/08/2037
776
777
778
779AC RAIZ FNMT-RCM SERVIDORES SEGUROS
780Identity: AC RAIZ FNMT-RCM SERVIDORES SEGUROS
781Verified by: AC RAIZ FNMT-RCM SERVIDORES SEGUROS
782Expires: 20/12/2043
783
784
785
786GlobalSign Root R46
787Identity: GlobalSign Root R46
788Verified by: GlobalSign Root R46
789Expires: 20/03/2046
790
791
792
793GlobalSign Root E46
794Identity: GlobalSign Root E46
795Verified by: GlobalSign Root E46
796Expires: 20/03/2046
797
798
799
800GLOBALTRUST 2020
801Identity: GLOBALTRUST 2020
802Verified by: GLOBALTRUST 2020
803Expires: 10/06/2040
804
805
806
807ANF Secure Server Root CA
808Identity: ANF Secure Server Root CA
809Verified by: ANF Secure Server Root CA
810Expires: 30/08/2039
811
812
813
814Certum EC-384 CA
815Identity: Certum EC-384 CA
816Verified by: Certum EC-384 CA
817Expires: 26/03/2043
818
819
820
821Certum Trusted Root CA
822Identity: Certum Trusted Root CA
823Verified by: Certum Trusted Root CA
824Expires: 16/03/2043
825
826
827
828TunTrust Root CA
829Identity: TunTrust Root CA
830Verified by: TunTrust Root CA
831Expires: 26/04/2044
832
833
834
835HARICA TLS RSA Root CA 2021
836Identity: HARICA TLS RSA Root CA 2021
837Verified by: HARICA TLS RSA Root CA 2021
838Expires: 13/02/2045
839
840
841
842HARICA TLS ECC Root CA 2021
843Identity: HARICA TLS ECC Root CA 2021
844Verified by: HARICA TLS ECC Root CA 2021
845Expires: 13/02/2045
846
847
848
849Autoridad de Certificacion Firmaprofesional CIF A62634068
850Identity: Autoridad de Certificacion Firmaprofesional CIF A62634068
851Verified by: Autoridad de Certificacion Firmaprofesional CIF A62634068
852Expires: 05/05/2036
853
854
855
856vTrus ECC Root CA
857Identity: vTrus ECC Root CA
858Verified by: vTrus ECC Root CA
859Expires: 31/07/2043
860
861
862
863vTrus Root CA
864Identity: vTrus Root CA
865Verified by: vTrus Root CA
866Expires: 31/07/2043
867
868
869
870ISRG Root X2
871Identity: ISRG Root X2
872Verified by: ISRG Root X2
873Expires: 17/09/2040
874
875
876
877HiPKI Root CA - G1
878Identity: HiPKI Root CA - G1
879Verified by: HiPKI Root CA - G1
880Expires: 31/12/2037
881
882
883
884GlobalSign
885Identity: GlobalSign
886Verified by: GlobalSign
887Expires: 19/01/2038
888
889
890
891GTS Root R1
892Identity: GTS Root R1
893Verified by: GTS Root R1
894Expires: 22/06/2036
895
896
897
898GTS Root R2
899Identity: GTS Root R2
900Verified by: GTS Root R2
901Expires: 22/06/2036
902
903
904
905GTS Root R3
906Identity: GTS Root R3
907Verified by: GTS Root R3
908Expires: 22/06/2036
909
910
911
912GTS Root R4
913Identity: GTS Root R4
914Verified by: GTS Root R4
915Expires: 22/06/2036
916
917
918
919Telia Root CA v2
920Identity: Telia Root CA v2
921Verified by: Telia Root CA v2
922Expires: 29/11/2043
923
924
925
926D-TRUST BR Root CA 1 2020
927Identity: D-TRUST BR Root CA 1 2020
928Verified by: D-TRUST BR Root CA 1 2020
929Expires: 11/02/2035
930
931
932
933D-TRUST EV Root CA 1 2020
934Identity: D-TRUST EV Root CA 1 2020
935Verified by: D-TRUST EV Root CA 1 2020
936Expires: 11/02/2035
937
938
939
940DigiCert TLS ECC P384 Root G5
941Identity: DigiCert TLS ECC P384 Root G5
942Verified by: DigiCert TLS ECC P384 Root G5
943Expires: 14/01/2046
944
945
946
947DigiCert TLS RSA4096 Root G5
948Identity: DigiCert TLS RSA4096 Root G5
949Verified by: DigiCert TLS RSA4096 Root G5
950Expires: 14/01/2046
951
952
953
954Certainly Root R1
955Identity: Certainly Root R1
956Verified by: Certainly Root R1
957Expires: 01/04/2046
958
959
960
961Certainly Root E1
962Identity: Certainly Root E1
963Verified by: Certainly Root E1
964Expires: 01/04/2046
965
966
967
968E-Tugra Global Root CA RSA v3
969Identity: E-Tugra Global Root CA RSA v3
970Verified by: E-Tugra Global Root CA RSA v3
971Expires: 12/03/2045
972
973
974
975E-Tugra Global Root CA ECC v3
976Identity: E-Tugra Global Root CA ECC v3
977Verified by: E-Tugra Global Root CA ECC v3
978Expires: 12/03/2045

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0