tree: 09697aacef975b27118447b4093d7305a9eab4d9 [path history] [tgz]
  1. excluded/
  2. roots/

Symantec Certificates

This directory contains the set of known active and legacy root certificates operated by Symantec Corporation. In order for certificates issued from roots to be trusted, it is required that the certificates be logged using Certificate Transparency.

For details about why, see

The exception to this is sub-CAs which have been disclosed as independently operated, whose keys are not in control of Symantec, and which are maintaining a current and appropriate audit.


The full set of roots are in the roots/ directory, organized by SHA-256 hash of the certificate file.

The following command can be used to match certificates and their key hashes:

for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort

Excluded Sub-CAs


WebTrust Audit Certification Practices Statement


WebTrust Audit Certification Practices Statement