Closed Bug 1708307 Opened 3 years ago Closed 3 years ago

Remove Trustis FPS Root CA from NSS


(NSS :: CA Certificates Code, task)


(Not tracked)



(Reporter: kwilson, Unassigned)


(Whiteboard: June 2021 Batch of Root Changes)


(1 file)

Please remove the following root certificate from NSS:

OU=Trustis FPS Root CA; O=Trustis Limited; C=GB
Certificate Serial Number: 1B1FADB620F924D3366BF7C7F18CA059
SHA-1 Fingerprint: 3BC0380B33C3F6A60C86152293D9DFF54B81C004
SHA-256 Fingerprint: C1B48299ABA5208FE9630ACE55CA68A03EDA5A519C8802A0D3A673BE8F8E557D
Trust Bits: Email , Websites
Not EV

Currently this root has CKA_NSS_SERVER_DISTRUST_AFTER set to July 1, 2020 per Bug #1634584.

The CA has indicated that this root certificate is ready for removal, and stated: "I can confirm no new certificates have been issued since January 2018 and all expired as of January 2021."

Blake, This root certificate has both the Email (S/MIME) and Websites (TLS) trust bits enabled for it. We only set the distrust-after for Websites (TLS). Is this root certificate no longer needed for S/MIME purposes?

Flags: needinfo?(blake.morgan)

Hi Kathleen, The Sub CA is not signing anything so yes, please go ahead and set distrust for S/MIME.

Flags: needinfo?(blake.morgan)

Thanks, Blake. We will proceed with removing this certificate in the next batch of root changes for NSS.

Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.