ACEDICOM
The Edicom Certification Authority (ACEDICOM) provides companies, communities and physical persons with secure electronic identification mechanisms that
enable them to engage in activities where the digital signature replaces the handwritten with identical legal guarantees. To this end, ACEDICOM issues
certificates in accordance with the stipulations of Directive 1999/93/EC of 13th December 1999 and Law 59/2003 of 19th December, on electronic signature,
and so has sufficient recognition to operate in all countries of the European Union. The Edicom CA is responsible for obtaining the corresponding official
authorisation in those places outside the Union where it operates commercially.
Audit:WebTrust CA, performed by Ernst and Young:
Audit Report and Management's Assertsions
ACEDICOM Root
This root has three internally-operated subordinate CAs. The ACEDICOM 01
subordinate CA issues Qualified certificates for identification and advanced
electronic signature, for the use of physical persons or legal organisations.
The ACEDICOM 02 subordinate CA issues certificates for purposes other than
Qualified electronic signature. The ACEDICOM Servidores subordinate CA issues
server/client certificates and code signing certificates.
Buypass
Buypass has over 2 million customers in Norway and is a provider of secure solutions for electronic identification, electronic signature, and payment.
Buypass is registered with the Post and Telecommunications Authority as the issuer of the qualified ID according to the law on electronic signature. The
company has a license from the Ministry of Finance as e-money business pursuant to the Act on e-money.
Audit:WebTrust CA, performed by KPMG:Audit Report and Management’s Assertions
Audit: WebTrust EV Readiness, performed by KPMG:Audit Report and Management’s Assertions
Buypass Class 2 CA 1
This root signs end-entity certificates directly, and does not have subordinate CAs.
Buypass Class 2 certificates are issued to persons or enterprises and have the
same basic usage areas as Class 3 certificates. The Class 2 CP has, however,
less strict requirements with respect to identification of the requesting party
than Class 3 certificates.
Buypass Class 3 CA 1
This root signs end-entity certificates directly, and does not have subordinate CAs.
The Buypass Class 3 certificates are either issued to persons or enterprises.
The certificates may be used for authentication purposes, encryption/decryption
and/or electronic signatures (non-repudiation). The certificates are part of an
infrastructure provided by Buypass AS enabling electronic commerce in Norway.
The certificates are used by many different service providers ranging from purely
commercial companies to governmental and other public institutions including the
health sector.
Extended Validation SSL certificates will be issued exclusively by Class 3 CA.
Camerfirma
AC Camerfirma S.A. is a commercial CA issuing certificates for companies
primarily in Spain. Camerfirma is the digital certification authority for Chambers of Commerce in Spain.
Audit:WebTrust CA, performed by Ernst and Young:Audit Report and Management's Assertions
Audit:WebTrust EV, performed by Ernst and Young:Audit Report and Management's Assertions (Spanish), Audit Report and Management's Assertions (English)
Chambers of Commerce Root - 2008
This CA has internally-operated subordinate CAs that issue certificates
for Spanish companies and representatives. Chambers of Commerce act as RAs for end user registration.
Global Chambersign Root - 2008
This CA has internally-operated subordinate CAs that issue certificates for general use globally. Other companies act as RAs for end user registration.
Certicamara S.A.
Sociedad Cameral de Certificación Digital - Certicámara S.A. is a commercial CA primarily serving Colombia and Andean Region
Audit: WebTrust, performed by Deloitte and Touche :Audit Report and Management's Assertions
AC Raíz Certicámara S.A.
This is a new root CA certificate authorized by Industry and
Commerce Department of Colombia, to replace the Certificado Empresarial Clase-A certificate. It has one internally operated subordinate CA.
Certigna of Dhimyotis
Dhimyotis services include Certigna ID and Certigna SSL. Certigna is a French CA for the European market and expects to expand to serve other
countries (India, USA, South America ... ) soon.
Audit:ETSI TS 102.042, performed by LSTI - La Sécurité des Technologies de l'Information:Statement of Compliance with ETSI TS 102.042
Audit:ETSI TS 102.042, performed by LSTI - La Sécurité des Technologies de l'Information:2008 Statement of Compliance with ETSI TS 102.042
Certigna
The Certigna root has three internally operated subordinated CA’s: Certigna SSL is for SSL-enabled servers, Certigna ID is for
authentication and digitally-signed email, and Certigna Chiffrement is for encrypting email.
certSIGN
certSIGN is operated by SC CERTSIGN srl, a private corporation. certSIGN is a company member of UTI Group and an accredited supplier of certification
services. certSIGN solutions are developed integrally in Romania.
Audit:WebTrust CA, performed by Ernst and Young:Audit Report and Management's Assertions
certSIGN ROOT CA
This root issues internally-operated subordinate CAs for different classes of certificates based on use and verification requirements.
Chunghwa Telecom
Chunghwa Telecom (CHT) chiefly provides telecommunication and information-related
services. A public corporation, CHT is the largest integrated telecommunication operator in Taiwan.
Audit:WebTrust CA, performed by Sun Rise CPA Firm of DFK International:Audit Report and Management's Assertions
ePKI Root Certification Authority
This is the eCA root, which has two subordinate CAs: CHTCA and Public CA.
The CHTCA is the internal CA of Chunghwa Telecom (CHT) which signs certificates for CHT employees. The Public CA signs certificates for CHT clients.
| Link | Download/Install |
| SHA1 | 67:65:0d:f1:7e:8e:7e:5b:82:40:a4:f4:56:4b:cf:e2:3d:69:c6:f0 |
| Version | 3 |
| Modulus (key length) | 4096 |
| Valid From | 2004-12-19 |
| Valid To | 2034-12-19 |
| Revocation | CRL |
| Type | DV, OV |
| Document | CHT Certificate Repository |
| Document | ePKI CP |
| Document | eCA CPS |
| Document | Public CA CPS |
| Requested Trust Bits | |
| Bugs | Authorisation (448794), Inclusion (496193) |
| Comments | In the eCA CPS the term cross-certificate means a certificate used to establish a trust relationship between two CAs. Within the ePKI the cross-certificate is intended to mean subordinate CA. All subordinate CAs are operated by the Data Communication Business Group, which is a division of Chunghwa Telecom.
|
CNNIC
China Internet Network Information Center (CNNIC), the state network information center of China, is a non-profit organization. CNNIC takes orders from the
Ministry of Information Industry (MII) to conduct daily business, while it is administratively operated by the Chinese Academy of Sciences (CAS). The CNNIC
Steering Committee, a working group composed of well-known experts and commercial representatives in domestic Internet community, supervises and evaluates the structure,
operation and administration of CNNIC. The objective customers of the CNNIC root are domain owners from general public, including enterprise, government, organization, league, individual, etc.
Audit:WebTrust CA, performed by Ernst and Young:Audit Report and Management's Assertions
CNNIC ROOT
This root has one internally-operated subordinate CA named CNNIC SSL, which offers only SSL certificates that may be issued to general public, including
enterprise, government, organization, league, individual, etc.
Comodo
Comodo CA Ltd is a commercial CA based in the UK and serving customers worldwide. Comodo has a total of 12 root CA
certs included in Mozilla, and altogether 124 subordinate CAs signed by those root CAs. Some of them exist to differentiate
between different Comodo brands or products and some are used to re-brand products for its partners. In each case Comodo retains
the private key for the subordinate CA within its infrastructure.
Audit:WebTrust, performed by KPMG:Audit Report and Management's Assertions
Audit:WebTrust EV, performed by KPMG:Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria
COMODO Certification Authority
Root CA certificate with subordinate CAs issuing SSL certificates, email certificates, and code signing certificates.
COMODO ECC Certification Authority
Root ECC certificate with internal subordinate CA issuing EV SSL certificates, email certificates, and code signing certificates.
ComSign
ComSign is a private company owned by Comda, Ltd., a company specializing in information protection products and solutions. In 2003, ComSign was
appointed by the Justice Ministry as a certificate authority in Israel in accordance with the Electronic Signature Law 5761-2001, and is currently
the only entity issuing legal authorized electronic signatures according to the Israel law. ComSign has issued electronic signatures to thousands of business people in Israel.
Audit:Israel Electronic Signature Law, performed by The State of Israel – Ministry of Justice:Registered CA
Audit:ETSI TS 101 456, performed by Sharony-Shefler:Audit Statement 2009
ComSign CA
This root has six internally-operated subordinate CAs that are used for issuing digital IDs to individuals and corporations in accordance with the Israeli Electronic Signature Law.
ComSign Secured CA
This root has two internally-operated subordinate CAs that are used for issuing certificates for SSL and for code-signing.
DCSSI/ANSSI
ANSSI is the French Network and Information Security Agency, a part of the French Government. It issues certificates to French
Government websites which are used by the general public. Each department has a sub CA; there
are at least 20 at the moment, and potentially up to 60. Note: The O of the root is PM/SGDN. SGDN stands for "Secrétariat
général de la Défense nationale", which is now named "Secrétariat général de la défense et de la sécurité nationale"
(SGDSN). The OU of the root is DCSSI which stands for "Direction Centrale de la sécurité des
systèmes d'information". The name of the organizational unit has been changed to "Agence nationale de la sécurité des systèmes d'information" (ANSSI).
Audit:Government -- WebTrust CA Equivalent, performed by French Secretariat GÈnÈral de la DÈfense Nationale:Official decision for IGC/A homologation
IGC/A
This is the root certificate of the French Government CA. The IGC/A root issues a subordinate CA for each organization, which can be only a government or an
administrative organization. Each of these subordinate CAs may issue end-entity certificates or additional subordinate CAs to be used for divisions within that
organization. Each organization is required to follow the CP and the Government RGS/PRIS, and be audited.
DigiCert
DigiCert is a US-based commercial CA with headquarters in Lindon, UT. DigiCert provides digital certification and identity assurance services internationally
to a variety of sectors including business, education, and government.
Audit:WebTrust, performed by KPMG:AuditReport and Management's Assertions
Audit:WebTrust EV, performed by KPMG: Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria
DigiCert Assured ID Root CA
DigiCert Global Root CA
DigiCert High Assurance EV Root CA
DigiNotar
DigiNotar is a Dutch trusted third party, mainly operating in the Netherlands. They issue certificates based on
notary verification of applicants. They service the business, government and consumer markets.
Audit:ETSI 101.456, performed by Price Waterhouse Coopers:ETSI Certificate, Statement of ETSI Compliance
Audit:WebTrust EV, performed by Price Waterhouse Coopers:Assertion of Management and Audit Report
DigiNotar Root CA
This is the top root, used only to issue CA
certificates for five application-specific subordinate CAs:
DigiNotar Public CA 2025 (non-qualified personal
certificates), DigiNotar Qualified CA (qualified personal
certificates), DigiNotar Services CA (SSL and object signing
certificates), DigiNotar Extended Validation CA (EV
certificates), and DigiNotar Private CA (CA certificates for
organizational CAs).
Disig
Disig is a public Certification Service Provider, located in Slovakia. Disig is a member of international ASSECO Group, one of the strongest
software houses in the CEE region. Asseco is a leader in selected IT segments in countries across Central and Eastern Europe.
Audit:ETSI 102.042, performed by Scientia:Audit Statement
CA Disig
This root has no subordinate CAs, issuing end-entity certs for SSL, email, and code signing directly.
E-Guven
E-Guven is a private corporation that serves certificates mainly the Turkish market and they plan to expand their market to other countries.
E-Guven certificates are used in Public projects, such as www.turkiye.gov.tr, and Mobile Signature as well. E-Guven also develops B2B secure transaction projects.
Audit:ETSI 101.456, performed by Republic of Turkey Telecommunicatins Authority:Audit Statement
e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
This root certificate signs SSL certificates directly. Additionally, this root has the following three intermediate CAs:
E-Guven Mobile CA issues mobile certificates for end users; E-Guven NES CA issues qualified electronic certificates for Turkish citizens;
and E-Guven Secure Client Certificates issues Class 3 certificates. All of the intermediate CAs chaining up to this root are operated internally by e-Guven.
Entrust
Entrust is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use.
Audit:WebTrust, performed by Deloitte and Touche LLP:Audit Report and Management's Assertions
Audit:WebTrust EV, performed by Deloitte and Touche LLP:Audit Report and Management's Assertions
Entrust Root Certification Authority
This root was primarily created as the trust root for Entrust EV SSL certificates. EV certificates are issued using the Entrust Certification Authority - L1A subordinate CA.
E-TUGRA
E-TUGRA is the EBG Informatics Technologies and Services Corporation. E-TUGRA is a privately held CA operating in Ankara, Turkey, with customers
from all geographic areas within Turkey. E-TUGRA has been certified as one of the four authorized CAs that issues qualified certificates as well as
SSL and other types of certificates to public in Turkey.
Audit:ETSI TS 101.456, performed by Turkish Information and Communications Technologies Authority (ICTA):ICTA statement of ETSI compliance
EBG Elektronik Sertifika Hizmet Sağlayıcısı
From this root CA E-TUGRA has issued two internally-operated subordinate CAs. The Qualified Certificate (QC) subordinate CA issues certificates
for Digital Signing and Non-Repudiation (document and email signing). The Non Qualified Certificate (NQC) subordinate CA (EBG Web Sunucu
Sertifika Hizmet Sağlayıcısı) issues certificates for SSL, email encryption, and code signing.
Firmaprofesional
Firmaprofesional is a commercial CA in Spain that issues certificates to professional corporations, companies and other institutions. Their main activity is the generation,
transmission and distribution of digital certificates through professional corporations, companies or other institutions, which act as Registration Authorities and Certification
Authorities in the hierarchy of certification Firmaprofesional. Firmaprofesional has a network of more than 70 Registration Authorities located throughout Spain.
Audit:WebTrust CA, performed by Ernst & Young:Audit Report and Management’s Assertions
Autoridad de Certificacion Firmaprofesional CIF A62634068
This is a renewal for the Firmaprofesional root certificate that is currently in NSS. Sub-CAs of the new root cross-sign end-entity certs with sub-CAs of the old root,
in order to maintain business continuity. This root CA signs subordinate CAs that sign end-entity certificates.
One sub-CA is used by Firmaprofesional, and other sub-CAs are issued for organizations including professional corporations, companies or other institutions, which act as
Registration Authorities and Certification Authorities in the hierarchy of certification Firmaprofesional.
GeoTrust
GeoTrust is a commercial CA with worldwide operations and customer base; it is a subsidiary of VeriSign, Inc.
Audit:WebTrust CA and WebTrust EV, performed by KPMG:Audit Report and Management's Assertions
GeoTrust Primary Certificate Authority - G2
This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for
digitally-signed executable code objects. GeoTrust is not yet actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will be internally operated.
GeoTrust Primary Certification Authority - G3
This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for digitally-signed executable code objects.
GeoTrust Primary Certification Authority
This CA issues a CA certificate to the subordinate CA GeoTrust Extended Validation SSL CA, which in turn issues Extended Validation certificates for SSL-enabled servers.
| Link | Download/Install |
| SHA1 | 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96 |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 2006-11-26 |
| Valid To | 2036-07-16 |
| Revocation | CRL,OCSP |
| Type | EV (policy OID 1.3.6.1.4.1.14370.1.6) |
| Document | GeoTrust Certification Practice Statement, Version 1.0 (January 31, 2008) |
| Document | Other documents |
| Requested Trust Bits | |
| Bugs | Authorisation (407168), Inclusion (424169), EV (424171) |
| Comments | Note that for compatibility reasons GeoTrust has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter GeoTrust EV certificates then they will end up treating this CA as a subordinate CA under the existing Equifax Secure CA root. |
GlobalSign
GlobalSign is a commercial CA based in Portsmouth NH and serving customers worldwide.
Audit:WebTrust CA, performed by Ernst & Young:Audit Report and Management’s Assertions
Audit:WebTrust EV, performed by Ernst & Young:Audit Report and Management’s Assertions
GlobalSign Root CA – R3
This is the SHA256 version of the GlobalSign root (SHA1) that is already included in NSS. This root is primarily suitable for Server and Client Authentication,
Secure e-mail, Code Signing and Timestamping. However the root itself is marked for all issuance policies and therefore can also be used for OCSP, Encrypting File
System, IP Sec (Tunnel, User) and CA Encryption Certificate purposes. The root has been created (A ceremony to WebTrust audited standards witnessed by
Ernst and Young). However, this root is not yet active, so no CRL or OCSP service has yet been provided for it. GlobalSign will be supporting a new certificate
hierarchy in 2010 based on this SHA256 root.
GlobalSign Root CA - R2
Root CA with one subordinate CA.
GlobalSign Root CA
Root CA with two subordinate CAs.
| Link | Download/Install |
| SHA1 | B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 1998-09-01 |
| Valid To | 2028-01-28 |
| Revocation | CRL,OCSP |
| Type | DV, IV/OV, EV (policy OID 1.3.6.1.4.1.4146.1.1) |
| Document | GlobalSign Certification Practice Statement, version 6.0 |
| Document | GlobalSign CA Certificate Policy, version 3.0 |
| Requested Trust Bits | |
| Bugs | Authorisation (406794), Inclusion (449883), EV (446407) |
| Comments | Note that a version of this root CA certificate with the same public key but an earlier expiration date (2014-01-28) is already included in the Mozilla list. This request is to replace the older certificate with this certificate and then enable this CA certificate for EV. |
Go Daddy
Go Daddy operates a commercial CA based in the US and serving customers worldwide.
Audit:WebTrust and WebTrust EV, performed by KPMG:Independent Accountants' Report
Valicert Class 2 Policy Validation Authority
Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates,
and code signing certificates.
| Link | Download/Install |
| SHA1 | 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6 |
| Version | 1 |
| Modulus (key length) | 1024 |
| Valid From | 1999-06-25 |
| Valid To | 2019-06-25 |
| Revocation | CRL,OCSP |
| Type | DV, IV/OV, EV (policy OIDs 2.16.840.1.114413.1.7.23.3 and 2.16.840.1.114414.1.7.23.3) |
| Document | Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS) |
| Requested Trust Bits | |
| Bugs | Authorisation (403437), Inclusion (418958), EV (403437) |
| Comments | Both of the CA certificates below are cross-signed to the Valicert Class 2 Policy Validation Authority root for legacy support, so this root is configured to enable EV with both of the EV OIDs associated with the other certificates. |
Go Daddy Class 2 CA
Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.
Starfield Class 2 CA
Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates.
Hongkong Post
Hongkong Post is a government agency and is a recognized CA under the law of Hong Kong Special Administrative Region (HKSAR) of China,
and has been issuing digital certificates under the e_Cert brand name to individuals and organizations of HKSAR since January 2000.
Hongkong Post CA operations have been outsourced to E-Mice Solutions. This is documented in the CPS and the Management Assertions.
The WebTrust audit covers both Hongkong Post and E-Mice CA operations.
Audit:WebTrust, performed by PricewaterhouseCoopers:Audit Report and Management Assertions
Hongkong Post Root CA 1
This root has only one direct subordinate, Hongkong Post e-Cert CA 1, which is the signer key and is used to issue different types of recognized e-Certs to individuals and organizations.
IdenTrust
IdenTrust is a for-profit corporation serving the private, commercial and government sectors.
Audit:WebTrust, performed by Ernst and Young:Audit Report and Management's Assertions
DST Root CA X3
DST ACES CA X6
Izenpe
Izenpe is owned by the government of the Basque country, Spain.
Audit:ETSI TS 101.456, performed by BSI Management Systems:ETSI Certificate
Audit:WebTrust EV Readiness, performed by KPMG:Audit Report and Management Assertions
Izenpe.com
This SHA256 root has five internally-operated subordinate CAs. One sub-CA issues EV SSL certs. Two of the sub-CAs are for Qualified certificates, one for Public Administration, and one for Citizens and Entities. There are also
two sub-CAs for non-Qualified certificates, one for Public Administration and one for Citizens and Entities, which issue SSL Server, Email, and Code Signing certs.
Japanese GPKI
In Japan there are two root CAs, one is GPKI (Government Public Key Infrastructure) and the other one is LGPKI (Local government public Key Infrastructure).
GPKI is controlled by the Ministry of Internal Affairs/Communications and National Information Security Center, and it is separate from Local government
sectors. The Japanese government decided to centralize to GPKI from each of the ministry's certification systems and it has finished migration on Oct, 2008.
Audit:WebTrust CA, performed by Deloitte Touche Tohmatsu:Audit Report and Management's Assertions (Japanese), Audit Report and Management's Assertions (English)
ApplicationCA - Japanese Government
This root is operated by the national government of Japan. It issues server certificates and code signing certificates to national government agencies.
This root issues end-entity certificates directly, and does not have any subordinate CAs.
JCSI
Japan Certification Services, Inc. (JCSI) is a commercial CA whose primary market is Japan. Some of the relying parties are outside Japan, such as US,
Canada, European countries, and Asia. Audit:WebTrust CA, performed by Ernst and Young ShinNihon LLC:Audit Report and Management’s Assertions
SecureSign RootCA11
This root has one internally-operated subordinate CA for issuing SSL certificates to the public. In the future, JCSI plans to add other
internally-operated subordinate CAs for S/MIME, Time Stamping, and other certificate types.
| Link | Download/Install |
| SHA1 | 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 2009-04-07 |
| Valid To | 2029-04-07 |
| Revocation | CRL |
| Type | OV |
| Document | Repository |
| Document | CP/CPS in English |
| Requested Trust Bits | |
| Bugs | Authorisation (496863), Inclusion (542798) |
| Comments | none |
Kamu SM
Kamu Sertifikasyon Merkezi is the one government CA in Turkey that has authorization to issue certificates to
government entities. They are also authorised to issue to commercial companies.
Audit:ETSI TS 101.456, performed by Turkish Information and Communications Technologies Authority (ICTA):ICTA statement of ETSI compliance
TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
| Link | Download/Install |
| SHA1 | 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96 |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 2007-08-24 |
| Valid To | 2017-08-21 |
| Revocation | CRL, OCSP |
| Type | DV, IV |
| Document | CP |
| Document | CPS |
| Requested Trust Bits | |
| Bugs | Authorisation (381974), Inclusion (499705) |
| Comments | none |
Keynectis/Certplus
Keynectis is a French commercial CA that issues certificates to the general public. Keynectis was created by merging two previous French certification operators, Certplus and PK7.
Audit:ETSI TS 101.456, performed by LSTI - La Sécurité des Technologies de l'Information:ETSI Certificate
Audit:WebTrust EV, performed by KPMG:Audit Report and Management's Assertion
Certplus Class 2 Primary CA
Microsec
Microsec Ltd. is a Hungarian certificate authority.
Audit:Government, ETSI TS 101.456 equivalent, performed by Hungarian Government National Communications Authority:Authority statement
Microsec e-Szigno Root CA
Microsec e-Szigno Root CA 2009
This is a new, SHA256, version of the Microsec SHA1 root that is already included in NSS. The new root has a new DN and a new key. Microsec plans to operate
the two roots simultaneously for some years, and the old one shall be phased out afterwards. Under the new root, Microsec issues certificates with an OCSP service usable for the general public.
NetLock
NetLock Ltd. is a qualified Certificate Authority in Hungary that issues certificates to organizations and individuals.
Audit:ETSI TS 101.456, ETSI 102.042, performed by National Communications Authority, Hungary:Statement of audit conformance in English, Statement of the NCA that Netlock is a Qualified Service Provider
Audit:ETSI TS 101.456, ETSI 102.042, performed by CERT-Hungary:Cover letter of the rDSP audit in Hungarian, English Translation of part of the rDSP Audit Report
NetLock Arany (Class Gold) Főtanúsítvány
NetLock currently has four separate root CAs included in NSS. The redesigned equivalent of these existing roots will be created under this new root.
The new root will sign seven internally-operated subordinate CAs. Two of those subordinate CAs will sign sub-CAs that will be externally-operated by
MKB (Hungarian Trade Bank) and MNB (National Bank of Hungary).
Network Solutions
Network Solutions is a US-based commercial CA with worldwide customer base.
Audit:WebTrust for CAs, performed by KPMG:Audit Report and Management's Assertions
Audit:WebTrust EV, performed by KPMG:Report in relation to the WebTrust for Certification Authorities Extended Validation Criteria
Network Solutions Certificate Authority
This CA has a subordinate CA, Network Solutions EV SSL CA, which issues Extended Validation certificates for
SSL-enabled servers. At present there are no other subordinate CAs under this root; however in the future Network Solutions
may establish additional subordinate CAs to issue non-EV certificates.
QuoVadis
QuoVadis is a commercial CA, based in Bermuda and operating globally.
QuoVadis is a Qualified Certification Services Provider in Switzerland.
Audit:WebTrust, performed by Ernst & Young
(Technology and Security Risk Services):Audit Report and Management's Assertions
Audit:ETSI TS 101.456, performed by KPMG:Swiss Accreditation Service statement
QuoVadis Root CA 2
This root will be used for SSL/device certificates, including
standard "organisation validated" certificates as well as EV certificates.
QuoVadis Root CA 3
This root will operate under a similar CP/CPS to our existing "qualified" Root CA 1,
primarily used for end user certificates.
SECOM Trust
SECOM Trust Services Co., Ltd are a commercial CA based in Japan.
Audit:WebTrust, performed by PricewaterhouseCoopers Aarata:Report of Independent Certified Public Accountant
Audit:WebTrust EV, performed by KPMG:Audit Report and Management's Assertion
Security Communication EV RootCA1
This request is to add a newly constructed EV root to the NSS database. Note that there is currently a non-EV CA called Security Communication RootCA1 in the NSS database.
Sertifitseerimiskeskus AS
SK (Certification Centre, legal name AS Sertifitseerimiskeskus) is a commercial CA, covering the Baltic region (Estonia, Lithuania, Latvia).
SK is Estonia's primary certification authority, providing certificates for authentication and digital signing to Estonian ID Cards. Established in
2001, SK has the backing of Estonian and Nordic financial and telecom sector. SK’s customers include the Estonian court system and notaries, Central Bank
and commercial banks, and enforcement organisations (e.g. Police).
Audit:ETSI TS 101.456, performed by KPMG Estonia:Audit Report
Juur-SK
This root issues three types of internally operated subordinate CAs. The first type of subordinate CA is used to issue electronic ID cards
which contain certificates for digital signature and for digital identification.
The second type of subordinate CA is used to issue internal ID cards of the Republic of Estonia.
The third type of subordinate CA is used to issue device and SSL certificates.
Staat der Nederlanden
Staat der Nederlanden is the Netherlands national government CA. The Dutch governmental PKI hierarchy consists of 2 roots. This first root, Staat der
Nederlanden Root CA, is already included in NSS. The second root is the next generation, Staat der Nederlanden Root CA – G2.
The organization operating these roots is called Logius as of January 2010, it used to be called GBO.Overheid. Logius is the digital government service of the
Netherlands Ministry of the Interior and Kingdom Relations (BZK).
Audit:WebTrust CA, performed by KPMG:Audit Report and Management Asserstions
Staat der Nederlanden Root CA - G2
This is the next generation of the Staat der Nederlandend Root CA that is currently in the Mozilla store. The PKIoverheid issues two internally
operated subordinate CAs, which issue subordinate CAs to CSPs. The CSPs are commercial and governmental organizations. Each CSP has to prove that
it complies with ETSI TS 101 456 and the Dutch law on electronic signatures. CSPs must conclude a contract with a representative of a government
organization or commercial company before issuing end-entity certificates. A request for a certificate is always signed by a specified representative
of a government organization or commercial company.
StartCom
StartCom is a commercial corporation with customers worldwide, and is the producer and vendor of the StartCom Linux operating systems, operates
the StartCom Certification Authority and MediaHost.
Audit:WebTrust CA, performed by Ernst and Young:Audit Report and Management's Assertions
Audit:WebTrust EV, performed by Ernst and Young:Audit Report and Management's Assertions
StartCom Certification Authority
S-TRUST
Deutscher Sparkassen Verlag GmbH is the world's largest smartcard provider and the central certification service
provider for all German savings banks. This CA exists to enable up to 40 million German customers (end-users) to use their
banking card as a certificate based signature, encryption and authentication device.
Audit:ETSI TS 101.456, performed by TÜV-IT:ETSI TS 101.456 Certificate
Audit:ETSI TS 102.042, performed by TÜV-IT:ETSI TS 102.042 Certificate
S-TRUST Authentication and Encryption Root CA 2005:PN
This root will provide all customers of the German Savings Bank Financial Group with client certificates for their signature-enabled debit cards (smartcards).
SwissSign
SwissSign AG is a commercial CSP that provides certification services for individual and corporate customers. SwissSign operates the certificate authority
for the Swiss Post and is mostly focused on Switzerland but Registration Services may be used internationally.
The "Platinum G2" Root CA currently has 3 subordinate CAs, the "Gold G2" Root CA has 2 and the "Silver G2" Root CA has 3.
Audit:ETSI TS 101.456, performed by KPMG:Swiss Accreditation Service Certified Bodies List, SAS details for SwissSign
Audit:WebTrust EV, performed by KPMG:Confirmation Notice of WebTrust EV Audit
SwissSign Platinum CA - G2
The SwissSign Platinum CA - G2 root has three subordinate CAs. The SwissSign Qualified Platinum CA - G2 issues
"qualified" certificates according to Swiss digital signature law (ZertES). The SwissSign Personal Platinum CA - G2 issues certificates
for natural persons and organizations. The Swiss Post Platinum CA - G2 issues the "Postzertifikat", a product of the Swiss Post. (Note that
each of the subordinate CAs has its own CP/CPS separate from the CP/CPS of the root.) The Platinum CAs require that keys be generated
on Secure Signature Creation Devices (SSCDs); since such devices are not used with servers, this hierarchy is enabled for email and object signing uses only.
SwissSign Gold CA - G2
The "Gold G2" root CA currently has two subordinate CAs: "Personal" issues certificates for natural persons and
organizations, while "Server" issues certificates for systems. This root CA may also operate other customer-specific Issuing CAs if and
only if they fully comply with all the stipulations of the "Gold G2" CP/CPS.
SwissSign Silver CA - G2
The "Silver G2" root CA currently has three subordinate CAs: "Personal" issues certificates for natural persons and
organizations, "Server" issues certificates for systems, and "Switch" is operated for a customer that issues certificates for the academic community
| Link | Download/Install |
| SHA1 | 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB |
| Version | 3 |
| Modulus (key length) | 4096 |
| Valid From | 2006-10-25 |
| Valid To | 2036-10-25 |
| Revocation | CRL,OCSP |
| Type | IV |
| Document | SwissSign Silver CP/CPS |
| Requested Trust Bits | |
| Bugs | Authorisation (343756), Inclusion (407396) |
| Comments | none |
TC TrustCenter
TC TrustCenter GmbH is a commercial company based in Germany, with customers in all major regions of the world. TC TrustCenter
offers a variety of products and services including SSL Server certificates and Email certificates.
Audit:ETSI 102.042, performed by TÜV-IT Germany:ETSI TS 102.042 LCP Certificate
Audit:ETSI 102.042 V2.1.1 EV, performed by TÜV-IT Germany:ETSI TS 102 042 V2.1.1 EV Certificate
TC TrustCenter Universal CA III
This root will have an internally-operated subordinate CA for each registration strength;
“Class 1”, “Class 2”, “Class 3” and “Class 4 EV”. This root currently has one Class 4 EV
subordinate CA, “TC TrustCenter Class 4 Extended Validation CA I”, which will only issue EV certificates.
This new root will co-exist with the “TC TrustCenter Universal CA I” root that is currently included in NSS.
This new root will effectively replace the "TC Universal CA II" root which was not included in NSS.
For this new root, TC TrustCenter generated a new key (supervised by their auditor) to be compliant
with the CA/B Forum guidelines.
TC TrustCenter Class 2 CA II
This root has two internally-operated subordinate CAs which issue certificates for SSL, email, and code signing. This root also has an
externally-operated subordinate CA which is used to issue device certificates and email certificates for internal use only. The device
name and the email address belong to a company internal domain, so the ownership is guaranteed.
TC TrustCenter Class 3 CA II
This root has one internally-operated subordinate CA which issues certificates for SSL, email, and code signing.
TC TrustCenter Universal CA I
This root has been introduced to reduce the number of root certificates in the trusted root stores. This root will have internally-operated
subordinate CAs for each registration strength. “Class 1”, “Class 2”, “Class 3” and “Class 4” represent the registration strength. This root
currently has one Class 3 subordinate CA. Over time this root will have more “TC Class x” subordinate CA certificates.
thawte
thawte is a commercial CA with worldwide operations and customer base; it is a subsidiary of VeriSign, Inc.
Audit:WebTrust/WebTrust EV, performed by KPMG:Audit Report and Management's Assertions
thawte Primary Root CA - G2
This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for
digitally-signed executable code objects. thawte is not yet actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will be internally operated.
thawte Primary Root CA - G3
This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for
digitally-signed executable code objects. thawte is not yet actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will be internally operated.
thawte Primary Root CA
This CA issues a CA certificate to the subordinate CAs thawte Extended Validation SSL CA and thawte Extended
Validation SSL SGC CA, which in turn issue Extended Validation certificates for SSL-enabled servers.
| Link | Download/Install |
| SHA1 | 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 2006-11-17 |
| Valid To | 2036-07-16 |
| Revocation | CRL, OCSP |
| Type | EV (policy OID 2.16.840.1.113733.1.7.48.1) |
| Document | thawte Certification Practice Statement, Version 3.5 (January 2008) |
| Requested Trust Bits | |
| Bugs | Authorisation (407163), Inclusion (424152), EV (424154) |
| Comments | Note that for compatibility reasons thawte has implemented a cross-signing scheme involving this CA. In this scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter thawte EV certificates then they will end up treating this CA as a subordinate CA under the existing Thawte Premium Server CA root. |
Trustwave
Trustwave is a commercial CA serving customers worldwide; it includes the former SecureTrust and XRamp CAs. At this time
there are no subordinate CAs for any of these roots; instead end entity certificates are issued directly from the roots as noted
below, with different classes of certificates under different certificate policies. Note that each root CA is not associated
with a single CPS, rather end entity certs are associated with policies that link to the CPS that the certificate was issued
under: an EV CPS, an OV CPS, etc.
Audit:WebTrust and WebTrust EV, performed by Boysen & Miller PLLC:Audit Reportand Management's Assertions
SecureTrust CA
Root CA certificate utilized for issuing SSL certificates (OV and EV) and code signing certificates.
Secure Global CA
Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and (in future) code signing certificates.
XRamp Global CA
Root CA certificate utilized for issuing SSL certificates (OV and EV), S/MIME certificates, and code signing certificates.
T-Systems
T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.
Audit:WebTrust, performed by Ernst and Young:Audit Report and Management's Assertions
Audit:ETSI 101.456, performed by T-Systems GEI:ETSI 101.456 Certificate of Compliance
Deutsche Telekom Root CA 2
TURKTRUST
TÜRKTRUST is a Turkish CA issuing qualified certificates in Turkey.
Audit:ETSI TS 101.456, performed by Turkish Telecommunications Authority:Letter of Official CA Statement, List of accredited CAs, Audit statement on auditor website
TURKTRUST Certificate Services Provider Root 1
Root 1 is a "legacy" root included for compatibility
with previously-issued certificates. The English version of the
CPS applies to both roots.
| Link | Download/Install |
| SHA1 | 79:98:A3:08:E1:4D:65:85:E6:C2:1E:15:3A:71:9F:BA:5A:D3:4A:D9 |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 2005-05-13 |
| Valid To | 2015-03-22 |
| Revocation | CRL, CRL, CRL,OCSP |
| Type | DV, IV |
| Document | CPS v03 (English) |
| Requested Trust Bits | |
| Bugs | Authorisation (380635), Inclusion (410821) |
| Comments | none |
TURKTRUST Certificate Services Provider Root 2
Root 2 is the new root that replaced Root 1; Root 2 is
used for certificates currently being issued. The English
version of the CPS applies to both roots.
| Link | Download/Install |
| SHA1 | B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7 |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 2005-07-11 |
| Valid To | 2015-09-16 |
| Revocation | CRL, CRL, CRL,OCSP |
| Type | DV, IV |
| Document | CPS v03 (English) |
| Requested Trust Bits | |
| Bugs | Authorisation (380635), Inclusion (410821) |
| Comments | none |
VeriSign
VeriSign is a major commercial CA with worldwide operations and customer base.
Audit:WebTrust CA and WebTrust EV, performed by KPMG: Audit Reports and Management's Assertions
VeriSign Universal Root Certification Authority
This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for
digitally-signed executable code objects. VeriSign is not yet actively issuing certificates from this root, so they have not yet published a CRL.
VeriSign Class 3 Public Primary Certificate Authority - G4
This CA will be used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for
digitally-signed executable code objects. VeriSign is not yet actively issuing certificates from this root, so they have not
yet published a CRL. All subordinated CAs for this root will be internally operated.
VeriSign Class 3 Public Primary Certification Authority - G5
This CA issues a CA certificate to the subordinate CA "VeriSign Class 3 Extended Validation SSL SGC CA", which in
turn issues Extended Validation certificates for SSL-enabled servers.
| Link | Download/Install |
| SHA1 | 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5 |
| Version | 3 |
| Modulus (key length) | 2048 |
| Valid From | 2006-11-07 |
| Valid To | 2036-07-16 |
| Revocation | CRL, OCSP |
| Type | EV (policy OID 2.16.840.1.113733.1.7.23.6) |
| Document | VeriSign
Certification Practice Statement, Version 3.5 |
| Document | VeriSign
Trust Network Certificate Policies, Version 2.5 |
| Requested Trust Bits | |
| Bugs | Authorisation (402947), Inclusion (422918) |
| Comments | Note that for compatibility reasons VeriSign has implemented a cross-signing scheme involving this CA. In this
scheme, if applications not supporting EV functionality (e.g., Firefox 2 and earlier) encounter VeriSign EV certificates then
they will end up treating this CA as a subordinate CA under the existing VeriSign Class 3 Public Primary CA root. |
VeriSign Class 1 Public Primary Certification Authority
This root CA (also known as PCA1-G1-SHA1) has Signature Algorithm SHA-1. This root will supersede the PCA1-G1 root that is already included in NSS, which has Signature Algorithm MD2.
VeriSign Class 3 Public Primary Certification Authority
This root CA (also known as PCA3-G1-SHA1) has Signature Algorithm SHA-1. This root will supersede the PCA3-G1 root that is already included in NSS, which has Signature Algorithm MD2.
Verizon / Cybertrust
Verizon Business Security Solutions Powered by Cybertrust operates a commercial certificate authority service for businesses and governments internationally.
Audit:WebTrust CA, performed by Ernst and Young:Audit Report and Management's Assertions
Audit:WebTrust EV, performed by Ernst and Young:Audit Report and Management's Assertions
Cybertrust Global Root
This root was created to provide a service to customers desiring a root based outside the United States. Relying on
the GTE CyberTrust Global Root for ubiquity through cross-certification, this root is used for issuance of EV SSL
certificates. There is currently only one internally-operated subordinate CA called Cybertrust SureServer EV CA. The CPS
allows for this root to have other subordinate CAs in the future. The sub-CAs are required to follow the CPS and to have regular audits.
Wells Fargo
Wells Fargo is a public CA based in San Francisco, California, and serving customers worldwide. This EV CA was created for the purpose of
creating an online/intermediate EV SSL issuing authority which will be managed internally, and follow the WellsSecure CPS.
Audit:WebTrust EV pre-audit, performed by KPMG:Audit Report and Management's Assertions
Audit:WebTrust CA, performed by KPMG:Audit Reportand Management's Assertions
WellsSecure Public Root Certificate Authority
Root CA with one internal subordinate CA issuing EV SSL certificates.
WISeKey
WISeKey operates the CertifyID Trust Service, which supports customer-specific CAs under a CA hierarchy rooted at
the WISeKey Global Root GA CA and containing Policy CAs (subordinate to the root) and Issuing CAs (subordinate to the
Policy CAs). Note that all end-entity certificates are issued by the Issuing CAs under policies set by WISeKey.
Audit:WebTrust, performed by WTE y E. Álvarez Auditores, S.L.:Audit Report and Management's Assertions
Audit:WebTrust, performed by WTE y E. Álvarez Auditores, S.L.:2008 Audit Report and Management's Assertions
OISTE WISeKey Global Root GA CA
As noted above, the Global Root GA CA is the one and only root for the entire CertifyID system. It issues CA
certificates to Policy CAs, which in turn issue CA certificates to Issuing CAs. There are three types of Policy
CAs (Standard, Advanced, and Qualified) and three types of Issuing CAs corresponding to these, each issuing a different
class of certificates; verification requirements for applicants vary by class.
|
SSL сертифікати VeriSign GeoTrust Thawte GlobalSign DigiCert TrustWave Certum Comodo Networksolutions SSL та Codesign 
