Finding the List of Certificates in CA Stores
Someone is running an automated scan on our SSL setup and they insist that our root certificate be included in all the following CA stores:
- "Mozilla NSS – 01/2014"
- "Apple – OS X 10.9.2"
- "Java 6 – Update 65"
- "Microsoft – 04/2014"
Now, I could argue about the list of CA stores they are using for their tests but this is not going to be a productive discussion so, I am looking for a way to find the exact list of certificates included in the above CA stores, and derive from that a list of vendors who are going to sell me a valid certificate signed by a root certificate present in all the above CA stores.
How to know what certificates are included in ‘Mozilla NSS – 01/2014’?
Knowing the certificates included in ‘Mozilla NSS – 01/2014’ can be challenging. Googling for that string may not yield matching certificates. However, you can try finding a matching NSS release for that date, which might include the desired information about the certificates.
How to identify vendors that sell certificates indirectly signed by a specific root certificate?
Identifying vendors that sell certificates indirectly signed by a specific root certificate can be a complex task. One appropriate method is to build the correct chain of trust, starting from the server certificate (known as a leaf). The leaf certificate will have an AKI (authority key identifier) that indicates the next certificate in the chain. By following the chain, you can identify the root certificate that signs the desired certificates. This root certificate should be present in the CA bundle. However, some tools may not use this method and instead look for each certificate’s presence in the CA bundle, regardless of whether it is a root or not.
Are there other ways to approach the problem?
There may be alternative approaches to the problem. However, it’s important to understand the chain of trust and the certificates included in the CA stores to ensure the desired level of security.
CA Bundle Deployment
CA bundle deployment can be complicated. Tools like sslyze and Qualys SSL Labs may not accurately reflect the deployment of CA bundles, leading to false positives and false negatives. It’s crucial to rely on reliable sources and understand how different platforms handle CA bundles.
Platforms with their own Root CA trust stores:
- Linux: Different Linux distributions and releases may have their own CA bundles. Programs on the system may choose to use the operating system CA bundle or ignore it.
- Java: Various servers may use different versions of Java, each potentially having a slightly different CA bundle.
- Python: Different Python versions may have their own CA bundles. Some libraries, like certifi, consume the CCADB and curate certificates based on weaknesses.
- Android: Each major version of Android has its own CA bundle.
- Other: Many other software and programming languages embed their own CA bundles, adding to the complexity.
While there are tools available for finding certificates in CA stores, it’s important to be aware of their limitations. One tool that shows promise is the ‘tlstrust’ tool, which covers many nuances that other tools ignore. It is still prone to false positives and false negatives but provides more accurate results compared to alternatives.
By understanding the CA bundles and the certificates included in them, you can ensure the security of your SSL setup and make informed decisions when purchasing certificates from vendors.