Jump to content
Angus Robertson

SSL/TLS Certificate Authority Root Stores

Recommended Posts

CA Trusted Store Background

The whole SSL/TLS certificate verification process depends upon finding a trusted root certificate that signed the next certificate up the chain, and so on.  But who chooses those trusted roots? The answer is the author of the application that accepts an SSL/TLS certificate, or maybe the operating system the application is running on, or the SSL library used to build the application.

The bad news is that root certificates come and go, old roots stop being accepted for various reasons, and new roots are introduced for new security standards or new businesses.

Historically most roots were RSA Sha1 digest signed and most still are, despite Sha1 being banned for new certificates.  Increasingly Sha256 and ECC root certificates are being introduced and required by new intermediate certificates. Typically, active certificate authorities have at least four roots, with 2,048 and 4,096 bit RSA keys and 256 and 394 bit ECDSA keys (which are much smaller than RSA).

Sources of CA Trusted Stores

SSL/TLS trusted root certificate bundles and always changing, annually perhaps for  major changes, although Microsoft officially Windows roots every two months.  The Common CA Database (CCADB) https://www.ccadb.org/ is a repository of information about Certificate Authorities (CAs), and is used by a number of different root store operators to manage their root stores.

But it's not easy to create root bundles from CCADB and another developer got frustrated with updating roots, and created a Trust Stores Observatory Git repository: https://github.com/nabla-c0d3/trust_stores_observatory which contains over 500 root certificates and lists of which trust store contain which roots by different operating systems.  But even this does not contain certificates in a form easily used by OpenSSL, so Magenta Systems Ltd has written a small tool that converts the YAML files from TSO into PEM bundle files, one each for the different operating systems.

New PEM Bundle CA Trusted Store Files

There are six different PEM CA bundle files, built from the Trust Stores Observatory Git repository:

apple.pem -  174 Certificates
google_aosp.pem - 137 Certificates
microsoft_windows.pem - 289 Certificates
mozilla_nss.pem - 137 Certificates
openjdk.pem - 88 Certificates
oracle_java.pem - 88 Certificates

Each certificate is prefixed by it's description, issuer fields, expiry, public key type and SHA256 hash, so the bundles are self documenting rather than being just cryptic base64 blocks.  These PEM bundles may be loaded into an OpenSSL context as a root store.  These bundles may be downloaded at:  https://www.magsys.co.uk/download/software/ca-root-bundles.zip  Magenta Systems Ltd will periodically update these bundles, as needed.


ICS V8.63 contains the content of microsoft_windows.pem. 



Edited by Angus Robertson
  • Like 1

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now