Blame SOURCES/README.ca-certificates

b01320
The CA-Certificates package is based on the list provided
b01320
by the Mozilla Foundation.
b01320
b01320
This version of the package contains the following adjustments:
b01320
b01320
(a)
b01320
The following root CA certificate is included in Mozilla's list:
b01320
  Subject/Issuer: "E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA"
b01320
  Serial Number: 1 (0x1)
b01320
  Signature Algorithm: PKCS #1 MD5 With RSA Encryption
b01320
  Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
b01320
b01320
For compatibility with signed applets and OpenJDK, this package includes
b01320
an additional version of the root CA certificate, which contains the
b01320
same issuer/subject names and the same public key, but which contains a
b01320
different signature algorithm, serial number and validity dates:
b01320
  Serial Number:36:12:22:96:c5:e3:38:a5:20:a1:d2:5f:4c:d7:09:54
b01320
  Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
b01320
  Fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66
b01320
b01320
Thawte/Symantec have confirmed that the certificate is authentic at:
b01320
  https://bugzilla.mozilla.org/show_bug.cgi?id=1100532#c9
b01320
b01320
(b)
b01320
Mozilla has removed several CA certificates that use 1024 bit keys.
b01320
b01320
For compatibility reasons, this package keeps several of those removed
b01320
CA certificates still trusted by default.
b01320
b01320
Please refer to the ca-legacy(8) man page and the ca-legacy utility
b01320
to learn how to disable them, if desired.