This directory contains the set of known active and legacy root certificates that were operated by Symantec Corporation. In order for certificates issued from these roots to be trusted, it is required that they comply with the policies outlined at https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html.
The exceptions to this are:
In addition to the above, no changes exist from the Certificate Transparency requirement outlined at https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html
The full set of roots are in the roots/ directory, organized by SHA-256 hash of the certificate file.
The following command can be used to match certificates and their key hashes:
for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort
WebTrust Audit Certification Practices Statement
WebTrust Audit Certification Practices Statement
WebTrust Audit Certification Practices Statement