CA certificate removed in NSS 3.16.3 still needed



CA Certificates Code
4 years ago
4 years ago


(Reporter: Craig Leres, Assigned: Kathleen Wilson)


Firefox Tracking Flags

(Not tracked)




4 years ago
User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140804150629

Steps to reproduce:

A number of our ldaps dependent services stopped working after upgrading NSS from 3.16.1 to 3.16.3. We were able to track this down to this change:

    Notable Changes in NSS 3.16.3
        - The following 1024-bit CA certificates were Removed
	    OU = ValiCert Class 2 Policy Validation Authority
		SHA1 Fingerprint: 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6

This ca was used to sign the ValiCert ssl cert used with, which is a 10 year cert that is now only 5 years old.

Actual results:

Example error message:

    LDAP service down: ldaps://

Expected results:

We'd like to understand why this specific ca was removed from the nss bundle and if it's possible to put it back in.

Comment 1

4 years ago
Hi Craig,

NSS is in the process of removing legacy root certificates, including those with keys that are likely to be deprecated in the future (1024-bit RSA keys)

The bug tracking this particular effort was , with the overall bug being

You can see the owner of this certificate requested it's removal in July, 2013 -

The CAs owning these certificates have been attempting to reach out to their customers and ensure they are aware of the changes and have alternatives. I suspect that if you contact them, they will be able to provide you with a proper chain, one that is supported by the CA and follows modern cryptographic best practices.

It's not something that the NSS dev team are considering adding back in, especially since the CA indicated they were prepared for this certificate to be removed in Q1 2014, and now it's nearly Q4.


4 years ago
Assignee: nobody → kwilson

Comment 2

4 years ago
Kathleen, should this be marked WONTFIX?

Comment 3

4 years ago
Hi Craig,

I apologize for this inconvenience. 

The ValiCert Class 2 root cert can be downloaded from here:

There is also a link on that page called: "How to report a certificate problem"
Perhaps you can reach out to GoDaddy to find out the best solution for your situation.

I am closing this bug as "WONTFIX", because we do not plan to add this legacy 1024-bit root back to NSS.

Last Resolved: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.