| The CA-Certificates package is based on the list provided |
| by the Mozilla Foundation. |
| |
| This version of the package contains the following adjustments: |
| |
| (a) |
| The following root CA certificate is included in Mozilla's list: |
| Subject/Issuer: "E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA" |
| Serial Number: 1 (0x1) |
| Signature Algorithm: PKCS #1 MD5 With RSA Encryption |
| Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A |
| |
| For compatibility with signed applets and OpenJDK, this package includes |
| an additional version of the root CA certificate, which contains the |
| same issuer/subject names and the same public key, but which contains a |
| different signature algorithm, serial number and validity dates: |
| Serial Number:36:12:22:96:c5:e3:38:a5:20:a1:d2:5f:4c:d7:09:54 |
| Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption |
| Fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66 |
| |
| Thawte/Symantec have confirmed that the certificate is authentic at: |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1100532#c9 |
| |
| (b) |
| Mozilla has removed several CA certificates that use 1024 bit keys. |
| |
| For compatibility reasons, this package keeps several of those removed |
| CA certificates still trusted by default. |
| |
| Please refer to the ca-legacy(8) man page and the ca-legacy utility |
| to learn how to disable them, if desired. |
| |