1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS

Status: RESOLVED FIXED

(NSS :: CA Certificates Code, enhancement, P1)

Description

[Kathleen Wilson]

Please remove the following root certificates from NSS.
The CA, DigiCert, has confirmed in Bug #1668131 that these roots are ready to be removed, as per the continuation of the distrust of Symantec root certificates.

GeoTrust Global CA
https://crt.sh/?id=17
Serial number: 023456
SHA2 thumbprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 1/1/2020

GeoTrust Primary Certification Authority
https://crt.sh/?id=4350
Serial number: 18ACB56AFD69B6153A636CAFDAFAC4A1
SHA2 thumbprint: 37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 1.3.6.1.4.1.14370.1.6
Distrust for TLS After Date: 4/30/2019

GeoTrust Primary Certification Authority - G3
https://crt.sh/?id=847444
Serial number: 15AC6E9419B2794B41F627A9C3180F1F
SHA2 thumbprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 1.3.6.1.4.1.14370.1.6
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA
https://crt.sh/?id=30
Serial number: 344ED55720D5EDEC49F42FCE37DB2B6D
SHA2 thumbprint: 8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.48.1
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA - G3
https://crt.sh/?id=254193
Serial number: 600197B746A7EAB4B49AD64B2FF790FB
SHA2 thumbprint: 4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.48.1
Distrust for TLS After Date: 4/30/2019

VeriSign Class 3 Public Primary Certification Authority - G4
https://crt.sh/?id=2771491
Serial number: 2F80FE238C0E220F486712289187ACB3
SHA2 thumbprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.23.6
Distrust for TLS After Date: 1/31/2019

VeriSign Class 3 Public Primary Certification Authority - G5
https://crt.sh/?id=93
Serial number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA2 thumbprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.23.6
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA - G2
https://crt.sh/?id=3382830
Serial number: 35FC265CD9844FC93D263D579BAED756
SHA2 thumbprint: A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 9/30/2018

GeoTrust Universal CA
https://crt.sh/?id=4174851
Serial number: 01
SHA2 thumbprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 9/30/2018

GeoTrust Universal CA 2
https://crt.sh/?id=4175126
Serial number: 01
SHA2 thumbprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 1/1/2020

Comment 1

[Benjamin Beurdouche [:beurdouche]]

Attachment: Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. r=kjacobs

Comment 2

[Kevin Jacobs [:kjacobs]]

https://hg.mozilla.org/projects/nss/rev/4c69d6d0cf210546bef1eed490712462b9296c62