Symantec Certificates

This directory contains the set of known active and legacy root certificates that were operated by Symantec Corporation. In order for certificates issued from these roots to be trusted, it is required that they comply with the policies outlined at https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html.

The exceptions to this are:

  • Pre-existing independently operated sub-CAs, whose keys were and are not controled by Symantec and which maintain current and appropriate audits.
  • The set of Managed CAs in accordance with the above policies.

In addition to the above, no changes exist from the Certificate Transparency requirement outlined at https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html

Roots

The full set of roots are in the roots/ directory, organized by SHA-256 hash of the certificate file.

The following command can be used to match certificates and their key hashes:

for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort

Excluded Sub-CAs

Apple

WebTrust Audit Certification Practices Statement

DigiCert

WebTrust Audit Certification Practices Statement

Google

WebTrust Audit Certification Practices Statement

Excluded Managed CAs

DigiCert