tree: f7704b215b56baab90812dceeb2a4c7321b0d382 [path history] [tgz]
  1. README.md
  2. excluded/
  3. roots/
net/data/ssl/symantec/README.md

Symantec Certificates

This directory contains the set of known active and legacy root certificates operated by Symantec Corporation. In order for certificates issued from roots to be trusted, it is required that the certificates be logged using Certificate Transparency.

For details about why, see https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html

The exception to this is sub-CAs which have been disclosed as independently operated, whose keys are not in control of Symantec, and which are maintaining a current and appropriate audit.

Roots

The full set of roots are in the roots/ directory, organized by SHA-256 hash of the certificate file.

The following command can be used to match certificates and their key hashes:

for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort

Excluded Sub-CAs

Aetna

WebTrust audit confirmed out-of-band. Certification Practices Statement Note: Not issuing new certificates and can be removed after October 2016.

Apple

WebTrust Audit Certification Practices Statement

Google

WebTrust Audit Certification Practices Statement

Unicredit

Audit information still undergoing review. Certification Practices Statement