5

Due to recent entrust cert authority issues, certificates issued by entrust are now signed by ssl.com root certificates. This new root is not especially old (valid since 2022) and we've found a few clients with security appliances (and java keystores and the like) that don't have it in their trusted roots stores.

Aside from contacting a trusted root authority directly - is there any digest and/or publicly available source of truth for updates to common root stores (such as windows trusted roots)? CA Browser (chrome etc) links announcing new trusted root certs?

We'd like to be able to point inquiring security teams from clients to public documentation and say "this root has been publicly distributed and or allowed since x date" whenever new root certs may not be found in whatever keystore they are using.

I understand that a public document on a site is not a source of truth for trust - but its gotta be something that the layman can understand, so that our CS teams can talk to another companies security team that might not be masters of the TLS domain...

Any thoughts on something more generic that could be used to tell a client why a root should be trusted?

The salesforce link to firefox's inclusion of roots into its browser store is closest to getting there as it lists firefox version support for each root.

SSL.com USA, Global https://www.ssl.com/ SSL.com TLS RSA Root CA 2022 Firefox 117 2046 Aug 19

References

<update>
Trusted root program can be searched relatively easily by ca name - found the cert in question there as well (added reference link) https://learn.microsoft.com/en-us/security/trusted-root/2023/nov2023

Improve this question

3 Answers 3

Reset to default
4

How about the Mozilla trusted CAs list? They're used by Linux distros for their ca-certificates packages for one.

The list is available in a few formats, including a CSV containing the certificates details and their hashes.

Improve this answer
1
  • It seems like the individual players in ccadb.org each have their own mechanisms for broadcasting. Would be nice if they included versions and/or date info in their consolidated csv at ccadb.org/resources That doc does talk about whether its been approved in each (mozilla/microsoft/chrome etc and when audited, but not when submitted and/or approved at any of them... :( Commented Jan 24 at 16:33
1

We'd like to be able to point inquiring security teams from clients to public documentation and say "this root has been publicly distributed

You need an automated way to inventory the certificates on the devices under your scope of management.

This includes certificates that exist in stores, also other well-known file system locations.

Improve this answer
0

The list of certificates from Microsoft is available here:

https://learn.microsoft.com/en-us/security/trusted-root/participants-list

Like Mozilla's, it's available in multiple formats (it's actually hosted at the same place, so they have the same format).

But like Mozilla's, it does not actually include the date it was added to the store, so you can find out which certificates are considered trusted (or not), but you'll have to find another source to know when it was added.

Improve this answer
1
  • As mentioned in the (originally very poorly formatted) reference links - Searching for specific root certs in the trusted root program for microsoft will tell you which patch tuesday updates included them. Its not a consolidated list - but available for microsoft... Commented Jan 24 at 16:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.