Permalink
Browse files

Updated Trust Stores, Java added

This is an update of the root certificate stores. Date from each store
is from yesterday.

Description update.

Also the Java certificate store was added. Previously Java was omitted
as it appeared not to be complete. I tested successfully this store.
  • Loading branch information...
drwetter committed Dec 14, 2018
1 parent 1416ff6 commit f708e1420e1b3eccf99e042e1961d2978ce4d15b
Showing with 11,438 additions and 8,912 deletions.
  1. +3,239 −4,076 etc/Apple.pem
  2. +3,292 −0 etc/Java.pem
  3. +3,293 −3,672 etc/Linux.pem
  4. +1,340 −156 etc/Microsoft.pem
  5. +257 −994 etc/Mozilla.pem
  6. +17 −14 etc/README.md

Large diffs are not rendered by default.

Oops, something went wrong.
3,292 etc/Java.pem

Large diffs are not rendered by default.

Oops, something went wrong.

Large diffs are not rendered by default.

Oops, something went wrong.

Large diffs are not rendered by default.

Oops, something went wrong.

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -1,33 +1,36 @@

#### Certificate stores
### Certificate stores

The certificate stores were retrieved by
The certificate trust stores were retrieved from

* Mozilla; see https://curl.haxx.se/docs/caextract.html
* Linux: Just copied from an up-to-date Linux machine
* Microsoft: Following command pulls all certificates from Windows Update services: (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions): ``CertUtil -syncWithWU -f -f . ``.
* Apple: It comes from Apple OS X keychain app. Open Keychain Access utility, i.e.
In the Finder window, under Favorites --> "Applications" --> "Utilities"
* **Linux:** Copied from an up-to-date Debian Linux machine
* **Mozilla:** https://curl.haxx.se/docs/caextract.html
* **Java:** JRE keystore pulled + extracted with keytool from a Linux machine from $JAVA_HOME/jre/lib/security/cacerts
* **Microsoft:** Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions).
* **Apple:**
1. __System:__ from Apple OS X keychain app. Open Keychain Access utility, i.e.
In the Finder window, under Favorites --> "Applications" --> "Utilities"
(OR perform a Spotlight Search for Keychain Access)
--> "Keychain Access" (2 click). In that window --> "Keychains" --> "System"
--> "Category" --> "All Items"
Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
2. __Internet:__ Pick the latest subdir from https://opensource.apple.com/source/security_certificates/. They are in DER format despite their file extension.

In this directory you can also save e.g. your company Root CA(s) in PEM
format, extension ``pem``. This has two catches momentarily: You will still
get a warning for the other certificate stores while scanning internal net-
works. Second catch: If you scan other hosts in the internet the check against
your Root CA will fail, too. This will be fixed in the future, see #230.
Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

If you want to test against e.g. a company internal CA you want to avoid warnings from the certificate stores here it's recommended to use ``ADDITIONAL_CA_FILES=<companyCA.pem ./testssl.sh <your cmdline>``. (The former mechanism was to put the company root CA certificate here.)


#### Further files

#### Further needed files
* ``tls_data.txt`` contains lists of cipher suites and private keys for sockets-based tests

* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS

* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
``~/utils/create_ca_hashes.sh`` for an update

* ``common-primes.txt`` is used for LOGJAM
* ``common-primes.txt`` is used for LOGJAM and the PFS section

* ``client-simulation.txt`` as the name indicates it's the data for the client simulation. Use
``~/utils/update_client_sim_data.pl`` for an update. Note: This list has been manually

0 comments on commit f708e14

Please sign in to comment.