Certification Authority Trust Tracker
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Certification Authority Trust Tracker

What is CATT?

CATT (Certification Authority Trust Tracker) is a collection of scripts and data to track which certification authorities are trusted by various root CA programs.

Publishing Trusted Root Certificates

The CATT project urge root certificate program managers to publish the following information:

  • All currently approved and trusted root certificates. The preferred publishing format is X.509 certificates encoded as PEM or DER, but other formats may be usable as well (e.g., Mozilla certdata as mentioned above). Note that publishing certificate fingerprints is not enough - we do need the actual certificate.

  • All currently approved and trusted Extended Validation OIDs together with each corresponding issuing CA fingerprint.

We strongly recommend that the data above is published at a stable long-term URL, in order to be able to fetch the data automatically.

Trust Sources


Root certificates extracted using extract-osx-trust.sh and and split into files using split-bundle.pl. EV OIDs extracted using extract-osx-ev-pl.

  • Root CA: /System/Library/Keychains/SystemRootCertificates.keychain
  • EV status: /System/Library/Keychains/EVRoots.plist

Apple publish a list of trusted root certificates for iOS, but as this list does not include full certificate data (including public keys) it cannot be used by CATT.


Root certificates fetched using mk-ca-bundle.pl and split into files using split-bundle.pl. EV OIDs extracted using extract-mozilla-ev.py.

More information:


Root certificate metadata is fetched using fetch-microsoft-authroot.sh, producing a JSON file called authroot.json. Actual root certificates fetched using the contents of the JSON file by fetch-microsoft-certs.sh. EV OIDs are not yet extracted.

A ancient snapshot of trusted root certificates can also be found in xfiles/microsoft-2012-12.xlsx.

Oracle Java SE

Root certificates extracted from the Java keystore using extract-java-trust.pl.