This directory contains the set of known active and legacy root certificates operated by Symantec Corporation. In order for certificates issued from roots to be trusted, it is required that the certificates be logged using Certificate Transparency.
For details about why, see https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html
The exception to this is sub-CAs which have been disclosed as independently operated, whose keys are not in control of Symantec, and which are maintaining a current and appropriate audit.
The full set of roots are in the roots/ directory, organized by SHA-256 hash of the certificate file.
The following command can be used to match certificates and their key hashes:
for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort
WebTrust audit confirmed out-of-band. Certification Practices Statement Note: Not issuing new certificates and can be removed after October 2016.
WebTrust Audit Certification Practices Statement
WebTrust Audit Certification Practices Statement
Audit information still undergoing review. Certification Practices Statement