evroot.config   [plain text]


# ------------------------------------------------------------------------------
# Extended Validation CA Policy OIDs
# Last updated: 22 Oct 2018, CES/KCM
#
# Each uncommented non-empty line contains a mapping from a CA-defined EV OID
# to the certificate file(s) in ./roots which are authoritative for that OID.
# These lines are processed by the buildEVRoots script to generate the plist.
#

# Actalis
# source: <rdar://problem/15836617>, <snrx://602642711>
# confirmed by http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf
#
# (1.3.159.1.17.1) = 06062B811F011101
#
# roots: Actalis Authentication Root CA.cer
#
1.3.159.1.17.1 "Actalis Authentication Root CA.cer"


# AffirmTrust
# source: <rdar://problem/7824821>
# confirmed by http://www.affirmtrust.com/images/AffirmTrust_CPS_v1.1_12-23-2010.pdf
#
# (1.3.6.1.4.1.34697.2.1) = 060A2B06010401828F090201
#
# roots: AffirmTrust-Commercial.der, AffirmTrust-Networking.der, AffirmTrust-Premium.der, AffirmTrust-Premium-ECC.der
#
1.3.6.1.4.1.34697.2.1 "AffirmTrust-Commercial.der"
1.3.6.1.4.1.34697.2.2 "AffirmTrust-Networking.der"
1.3.6.1.4.1.34697.2.3 "AffirmTrust-Premium.der"
1.3.6.1.4.1.34697.2.4 "AffirmTrust-Premium-ECC.der"


# Amazon
# source: <rdar://problem/33550949&33555967&33556000&33556019>
#
# (2.23.140.1.1) = 060567810C0101
#
2.23.140.1.1 "AmazonRootCA1.cer" "AmazonRootCA2.cer" "AmazonRootCA3.cer" "AmazonRootCA4.cer"


# ANF.es
# source: <rdar://17629277>, <snrx://Request/602051944>
# confirmed by: <https://cert.webtrust.org/SealFile?seal=1625&file=pdf>
#
# (1.3.6.1.4.1.18332.55.1.1.2.22) = 060D2B06010401818F1C3701010216
#
1.3.6.1.4.1.18332.55.1.1.2.22 "ANF_Global_Root_CA_SHA256.cer"


# Buypass (Norway)
# TestURL: https://valid.evident.ca23.ssl.buypass.no/
# TestURL: https://valid.evident.ca13.ssl.buypass.no
# source: <sonr://Request/66633590>
# confirmed by https://cert.webtrust.org/ViewSeal?id=848
# confirmed by http://www.buypass.no/Bedrift/Produkter+og+tjenester/SSL/SSL%20dokumentasjon
#
# (2.16.578.1.26.1.3.3) = 0608608442011A010303
#
# root: Buypass Class 3 CA 1 Buypass AS-983163327
#
# confirmed by email with John Arild Amdahl Johansen on Nov.12 2013
#
2.16.578.1.26.1.3.3 "Buypass Class 3 Root CA.cer"


# Certigna
# TestURL: http://www.certigna.fr/ca/ACcertigna.crt
# confirmed by <sonr://138828330>
# 86F27C4BE875508EE8793C4BFC61791530729830
# source <sonr://Request/138828330>
#
# (1.2.250.1.177.1.18.2.2)
#
# root: Certigna.cer
#
1.2.250.1.177.1.18.2.2 "Certigna.cer"


# Certum (Unizeto) (Poland)
# source: <sonr://request/95347392>
# source: <rdar://problem/7656178>, <rdar://problem/16974747>
#
# ( 1 2 616 1 113527 2 5 1 1 ) = 060B2A84680186F67702050101
#
# root: Certum Trusted Network CA
# root: Certum CA
#
1.2.616.1.113527.2.5.1.1 "Unizeto-CertumCA.cer" "Poland-Certum-CTNCA.der" "Certum Trusted Network CA 2.cer"

# China Financial Certification Authority
# TestURL: https://pub.cebnet.com.cn/
# source: <rdar://problem/27773899>
#
2.16.156.112554.3 "CFCA_EV_root.cer"

# Comodo
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <http://www.comodo.com/repository/EV_CPS_120806.pdf>
#
# (1.3.6.1.4.1.6449.1.2.1.5.1) = 060C2B06010401B2310102010501
#
# root: COMODO Certification Authority
# subordinate CA of: Add Trust External CA Root
#
1.3.6.1.4.1.6449.1.2.1.5.1 "COMODOCertificationAuthority.crt" "COMODOECCCA.cer" "COMODORSACA.cer" "AddTrust External CA Root.crt" "USERTrustRSACA.cer" "USERTrustECCCA.cer"


# Cybertrust (aka Verizon Business)
# source: <http://en.wikipedia.org/wiki/Extended_Validation_Certificate>
# confirmed by <http://cybertrust.omniroot.com/repository.cfm>
#
# (1.3.6.1.4.1.6334.1.100.1) = 060A2B06010401B13E016401
#
# root: GTE Cybertrust Global Root (removed: <rdar://17530554>)
# root: Baltimore Cybertrust Root
#
1.3.6.1.4.1.6334.1.100.1 "BTCTRT.cer"


# DigiCert
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <https://www.digicert.com/>
# confirmed by <http://www.digicert.com/CPS_V3-0-3_3-15-2007.pdf>
#
# (2.16.840.1.114412.2.1) = 06096086480186FD6C0201  // EV CA-1
# (2.16.840.1.114412.1.3.0.2) = 060B6086480186FD6C01030002  // EV CA-2
#
# root: DigiCert High Assurance EV Root CA
# previously a subordinate CA of: Entrust.net Secure Server Certification Authority
#
2.16.840.1.114412.1.3.0.2 "DigiCertHighAssuranceEVRootCA.crt"

# A14B48D943EE0A0E40904F3CE0A4C09193515D3F
# F517A24F9A48C6C9F8A200269FDC0F482CAB3089
# DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
# 7E04DE896A3E666D00E687D33FFAD93BE83D349E
# DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
# TestURL: https://assured-id-root-g2.digicert.com
# TestURL: https://assured-id-root-g3.digicert.com
# TestURL: https://global-root-g2.digicert.com
# TestURL: https://global-root-g3.digicert.com
# TestURL: https://trusted-root-g4.digicert.com
# confirmed by <snrx://600058205>
2.16.840.1.114412.2.1 "DigiCertHighAssuranceEVRootCA.crt" "DigiCertAssuredIDRootG2.der" "DigiCertAssuredIDRootG3.der" "DigiCertGlobalRootG2.der" "DigiCertGlobalRootG3.der" "DigiCertTrustedRootG4.der"


# DigiNotar
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <https://www.diginotar.com/>
#
# (2.16.528.1.1001.1.1.1.12.6.1.1.1) = 060E6084100187690101010C06010101
#
# root: DigiNotar Root CA
#
# removed per <rdar://problem/10040471>
# 2.16.528.1.1001.1.1.1.12.6.1.1.1 "DigiNotarRootCA2007.crt"


# DocuSign (aka OpenTrust/Certplus, formerly Keynectis)
# source: <sonr://request/76327342>
# confirmed by <https://www.keynectis.com/fr/accueil.html>
# source: <rdar://problem/33556122&33556164&33556207&33556265&33556293>
#
# (1.3.6.1.4.1.22234.2.5.2.3.1) = 060D2B0601040181AD5A0205020301
# (1.3.6.1.4.1.22234.2.14.3.11) = 060C2B0601040181AD5A020E030B
# (1.3.6.1.4.1.22234.3.5.3.1)   = 060C2B0601040181AD5A03050301
#
# source: <rdar://problem/43116953>
# (1.3.6.1.4.1.22234.3.5.3.2)   = 060C2B0601040181AD5A03050302
#
# root: Class 2 Primary CA
# root: OpenTrust Root CA G1, OpenTrust Root CA G2, OpenTrust Root CA G3
# root: Certplus Root CA G1, Certplus Root CA G2
#
1.3.6.1.4.1.22234.2.5.2.3.1 "certplus_class2.der"
1.3.6.1.4.1.22234.2.14.3.11 "OpenTrustRootCA1.cer" "OpenTrustRootCA2.cer" "OpenTrustRootCA3.cer"
1.3.6.1.4.1.22234.3.5.3.1 "CertPlusRootCA1.cer"
1.3.6.1.4.1.22234.3.5.3.2 "CertPlusRootCA2.cer"


# D-Trust
# source: <rdar://problem/13718023>
#
# 1.3.6.1.4.1.4788.2.202.1
#
# root: D-TRUST_Root_Class_3_CA_2_EV_2009.cer
#
1.3.6.1.4.1.4788.2.202.1 "D-TRUST_Root_Class_3_CA_2_EV_2009.cer"


# E-Tugra
# source: <rdar://15745238>
# Test URL:  https://sslev.e-tugra.com.tr
#
2.16.792.3.0.4.1.1.4 "E-Tugra.der"

# Entrust
# 503006091D97D4F5AE39F7CBE7927D7D652D3431
# B31EB1B740E36C8402DADC37D44DF5D4674952F9
# 8CF427FD790C3AD166068DE81E57EFBB932272D4
# 20d80640df9b25f512253a11eaf7598aeb14b547
# TestURL: https://2048test.entrust.net/
# TestURL: https://validev.entrust.net/
# TestURL: https://validg2.entrust.net/
# TestURL: https://validec.entrust.net/
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <http://www.entrust.net/CPS/pdf/webcps051404.pdf>
#
# (2.16.840.1.114028.10.1.2) = 060A6086480186FA6C0A0102
#
# root: Entrust.net Secure Server Certification Authority
# root: Entrust Root Certification Authority
#
# confirmed by <sonr://99624119>
2.16.840.1.114028.10.1.2 "EntrustEVRoot.crt" "EntrustRoot-G2.der" "EntrustRoot-EC1.der" "entrust2048.der"


# GeoTrust
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <http://www.geotrust.com/resources/cps/pdfs/GeoTrustCPS-Version1.pdf>
# G3 root added: <http://www.geotrust.com/resources/cps/pdfs/GeoTrustCPS-Version1.1.13.pdf>
# G2 ECC root added Sep 2014: <rdar://18132775>
#
# (1.3.6.1.4.1.14370.1.6) = 06092B06010401F0220106
#
# root: GeoTrust Primary Certification Authority
# subordinate CA of: Equifax Secure Certificate Authority
#
1.3.6.1.4.1.14370.1.6 "geotrust-primary-ca.crt" "GeoTrust Primary Certification Authority - G3.cer" "GeoTrust Primary Certification Authority - G2.cer"


# Global Digital Cybersecurity Authority (aka Guang Dong Certificate Authority Co. Ltd.)
# source: <rdar://problem/44744018>
#
# (1.2.156.112559.1.1.6.1) = 060A2A811C86EF2F01010601
#
# root: GDCA TrustAUTH R5 ROOT
#
1.2.156.112559.1.1.6.1 "GDCATrustAuthR5RootCA.cer"


# GlobalSign
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <https://www.globalsign.com/>
#
# (1.3.6.1.4.1.4146.1.1) = 06092B06010401A0320101
#
# root: GlobalSign Root CA - R3
# root: GlobalSign Root CA - R2
# root: GlobalSign Root CA
#
1.3.6.1.4.1.4146.1.1 "GlobalSignRootCA-R2.cer" "GlobalSign-Root-R3.der"


# Go Daddy (aka Starfield Technologies)
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <https://certs.starfieldtech.com/repository/StarfieldCP-CPS.pdf>
#
# (2.16.840.1.114413.1.7.23.3) = 060B6086480186FD6D01071703
# (2.16.840.1.114414.1.7.23.3) = 060B6086480186FD6E01071703
#
# root: Go Daddy Class 2 Certification Authority (for 114413)
# root: Starfield Class 2 Certificate Authority (for 114414)
# root: Starfield Root Certificate Authority - G2 (for 114414)
# root: Starfield Services Root Certificate Authority - G2 (for 114414)
# previously subordinate CA of: Valicert Class 2 Policy Validation Authority (both)
#
2.16.840.1.114413.1.7.23.3 "GD-Class2-root.crt" "GoDaddyRootCertificateAuthorityG2.der"
2.16.840.1.114414.1.7.23.3 "SF-Class2-root.crt" "StarfieldRootCertificateAuthorityG2.der"
2.16.840.1.114414.1.7.24.3 "StarfieldServicesRootCertificateAuthorityG2.der"


# Izenpe
# source: <sonr://Request/74637008>
# source: <sonr://Request/84249406>
# confirmed by <https://servicios.izenpe.com/jsp/descarga_ca/s27descarga_ca_c.jsp>
#
# (1.3.6.1.4.1.14777.6.1.1) = 060A2B06010401F339060101
# (1.3.6.1.4.1.14777.6.1.2) = 060A2B06010401F339060102
#
# root: Izenpe.com
# root: Izenpe.com/emailAddress=Info@izenpe.com
#
1.3.6.1.4.1.14777.6.1.1 "Izenpe-RAIZ2007.crt"
1.3.6.1.4.1.14777.6.1.2 "Izenpe-RAIZ2007.crt"


# Logius (aka Staat der Nederlanden)
# source: <rdar://problem/16256943> application for root trust store inclusion for Logius EV certificate
# confirmed by <https://www.logius.nl/producten/toegang/pkioverheid/documentatie/certificaten-pkioverheid/staat-der-nederlanden-ev/>,
# <https://bugzilla.mozilla.org/show_bug.cgi?id=1016568>
# <http://cert.pkioverheid.nl/EVRootCA.cer>
#
# (2.16.528.1.1003.1.2.7) = 060960841001876B010207
#
# root: Staat der Nederlanden EV Root CA
#
2.16.528.1.1003.1.2.7 "Staat der Nederlanden EV Root CA.cer"


# Network Solutions
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp>
#
# (1.3.6.1.4.1.782.1.2.1.8.1) = 060C2B06010401860E0102010801
#
# root: Network Solutions Certificate Authority
# subordinate CA of: AddTrust External CA Root
#
1.3.6.1.4.1.782.1.2.1.8.1 "NetworkSolutionsEVRoot.crt" "AddTrust External CA Root.crt"


# QuoVadis
# source: <http://www.mozilla.org/projects/security/certs/included/>
# confirmed by <http://www.quovadisglobal.bm/Repository.aspx>
#
# (1.3.6.1.4.1.8024.0.2.100.1.2) = 060C2B06010401BE580002640102
#
# root: QuoVadis Root Certification Authority
# root: QuoVadis Root CA 2
#
1.3.6.1.4.1.8024.0.2.100.1.2 "qvrca.crt" "qvrca2.crt" "qvrca2g3.cer"


# Secom (aka SECOM Trust Systems Co., Ltd.)
# TestURL: https://scrootca2test.secomtrust.net also consider: https://fmctest.secomtrust.net/
# FEB8C432DCF9769ACEAE3DD8908FFD288665647D
# source: <https://repository.secomtrust.net/SC-Root1/>
#
# (1.2.392.200091.100.721.1) = 060A2A83088C9B1B64855101
#
# root: Security Communication RootCA1
#
1.2.392.200091.100.721.1 "SCRoot1ca.cer" "SECOM-EVRoot1ca.cer" "SECOM-RootCA2.cer"


# SSL.com
# <rdar://40729542>
#
# (2.23.140.1.1) = 060567810C0101
#
# root: SSL.com EV Root Certification Authority RSA R2
# root: SSL.com EV Root Certification Authority ECC
#
2.23.140.1.1 "SSL.comEVRootCARSAR2.der" "SSL.comEVRootCAECC.der"


# StartCom
# source: <http://www.mozilla.org/projects/security/certs/included/#StartCom>
# confirmed by <https://www.startssl.com/certs/>, <https://www.startssl.com/policy.pdf>
#
# (1.3.6.1.4.1.23223.2) =
# (1.3.6.1.4.1.23223.1.1.1) =
#
# root: StartCom Certification Authority
#
1.3.6.1.4.1.23223.2 "startcom-sfsca.der" "startcomSHA2.der" "StartCom May 2013 G2.der"
1.3.6.1.4.1.23223.1.1.1 "startcom-sfsca.der" "startcomSHA2.der" "StartCom May 2013 G2.der"


# SwissCom
# source : <rdar://problem/13768455> SwissCom Root Certificates
# TestURL: https://test-quarz-ev-ca-2.pre.swissdigicert.ch/
# confirmed by <snrx://224162961>,
# <http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_1_de.pdf>
#
# previously, we had noted these additional OIDs for SwissCom:
#   (2.16.756.1.83.20.1.1) = 06086085740153140101
# verified with CA that this OID is no longer used: <rdar://15180773>
#   (2.16.756.1.83.2.2) = 060760857401530202
# <https://en.wikipedia.org/wiki/Extended_Validation_Certificate>; confirmed by Swisscom:
#   (2.16.756.1.83.21.0) = 060760857401531500
#
# E7A19029D3D552DC0D0FC692D3EA880D152E1A6B
#
2.16.756.1.83.21.0 "Swisscom Root EV CA 2.cer"


# SwissSign
# source: <https://swisssign.com/english/download-document/20-swisssign-gold-ca-g2.html>
# repository: https://swisssign.com/english/gold/view-category.html
#
# (2.16.756.1.89.1.2.1.1) = ...
#
# root: SwissSign Gold CA - G2
# root: SwissSign Gold Root CA - G3
#
2.16.756.1.89.1.2.1.1 "SwissSign-Gold_G2.der" "Gold_Root_G3_2009.der"


# Trustwave (aka SecureTrust, formerly XRamp)
# source: <http://www.mozilla.org/projects/security/certs/included/>
#
# (2.16.840.1.114404.1.1.2.4.1) = 060C6086480186FD640101020401
#
# root: SecureTrust CA
# root: Secure Global CA
# root: XRamp Global CA
# formerly subordinate CA of: Entrust.net Secure Server Certification Authority
#
2.16.840.1.114404.1.1.2.4.1 "Trustwave-STCA.der" "Trustwave-SGCA.der" "XGCA.crt"


# Thawte
# source: <http://www.mozilla.org/projects/security/certs/included/>
# G3 EV root added: <http://www.thawte.com/assets/documents/repository/cps/Thawte_CPS_3_7.9.pdf>
# G2 ECC root added Sep 2014: <rdar://18132769>
# G2 ECC root removed Oct 2018: <rdar://42910219>
#
# (2.16.840.1.113733.1.7.48.1) = 060B6086480186F84501073001
#
# root: thawte Primary Root CA
# subordinate CA of: Thawte Premium Server CA
#
2.16.840.1.113733.1.7.48.1 "thawte-primary-root-ca.crt" "thawte Primary Root CA - G3.cer"


# T-TeleSec
# source: <rdar://problem/14254092> T-Systems / Telesec.de root certificates
#
# (1.3.6.1.4.1.7879.13.24.1)
#
# root: T-TeleSec GlobalRoot Class 2 T-TeleSec GlobalRoot Class 3
#
1.3.6.1.4.1.7879.13.24.1 "T-TeleSec GlobalRoot Class 2.cer" "T-TeleSec GlobalRoot Class 3.cer"


# VeriSign
# source: <http://www.mozilla.org/projects/security/certs/included/>
#
# (2.16.840.1.113733.1.7.23.6) = 060B6086480186F84501071706
#
# root: VeriSign Class 3 Public Primary Certification Authority - G5
# subordinate CA of: Class 3 Public Primary Certification Authority
#
# Symantec
# source: <rdar://problem/13712338> Symantec ECC root certificates May 2013
# Class 3 G6 root added Sep 2014: <rdar://18132757>
# Class 3 G4, G6 roots removed Oct 2018: <rdar://42910219>
#
# VeriSign
# source: <rdar://13712338> Symantec ECC root certificates May 2013
# EV OID correction: <rdar://17095623> EV-enablement for Verisign root certificate already in the keychain
#
2.16.840.1.113733.1.7.23.6 "VeriSignC3PublicPrimaryCA-G5.cer" "VeriSign Class 3 Public Primary Certification Authority - G4.cer" "VeriSign Universal Root Certification Authority.cer"


# Wells Fargo
# source: <sonr://request/72493272>
# confirmed by <https://www.wellsfargo.com/com/cp>
#
# (2.16.840.1.114171.500.9) = 060A6086480186FB7B837409
#
# root: WellsSecure Public Root Certificate Authority
#
# removed per <rdar://31890397>
# 2.16.840.1.114171.500.9 "WellsSecurePRCA.der"


# OISTE WISeKey Global Root GB CA
# source: <rdar://23387289> (application attached)
# <http://public.wisekey.com/crt/>
2.16.756.5.14.7.4.8 "WISeKey-SHA2-owgrgbca.cer"


# Camerfirma
# TestURL: https://server2.camerfirma.com:8082
# TestURL: https://www.camerfirma.com/
# confirmed by <snrx://277093627>
#
# (1.3.6.1.4.1.17326.10.14.2.1.2) = 060D2B0601040181872E0A0E020102
# (1.3.6.1.4.1.17326.10.8.12.1.2) = 060D2B0601040181872E0A080C0102
#
# 786A74AC76AB147F9C6A3050BA9EA87EFE9ACE3C
# 6E3A55A4190C195C93843CC0DB722E313061F0B1
#
1.3.6.1.4.1.17326.10.14.2.1.2 "root_chambers-2008.der"
1.3.6.1.4.1.17326.10.8.12.1.2 "root_chambersign-2008.der"


# Firmaprofesional
# AEC5FB3FC8E1BFC4E54F03075A9AE800B7F7B6FA
# Firmaprofesional-CIF-A62634068.der
# TestURL: https://publifirma.firmaprofesional.com/
# confirmed by <sonr://230298678>
#
# (1.3.6.1.4.1.13177.10.1.3.10) = 060B2B06010401E6790A01030A
#
1.3.6.1.4.1.13177.10.1.3.10 "Firmaprofesional-CIF-A62634068.der"


# TWCA
# TestURL (4096): https://evssldemo3.twca.com.tw/index.html
# TestURL (2048): https://evssldemo.twca.com.tw/index.html
# confirmed with Robin Lin of TWCA on August 13 2013
#
# (1.3.6.1.4.1.40869.1.1.22.3) = 060C2B0601040182BF2501011603
#
#  9CBB4853F6A4F6D352A4E83252556013F5ADAF65
#  CF9E876DD3EBFC422697A3B5A37AA076A9062348
#
1.3.6.1.4.1.40869.1.1.22.3 "TWCARootCA-4096.der" "twca-root-1.der"



# ------------------------------------------------------------------------------