Changes to Trusted Root Certificates in Android 8.0 Oreo
Amazon’s CA Now Trusted By Android; 155 Trusted Roots in Total
The latest version of Google’s snack-food-named mobile OS was released this week (on August 21st).
While most Android users are excited about new emojis, picture-in-picture app support, and better performance, I bet you can guess what we are most excited about. That’s right, root certificate changes!
With this release, six roots were added and six were also removed – leaving the total number of trusted roots at 155. The most notable additions were four root certificates for Amazon’s new CA..
Android 8.0 also removes support for SSL 3.0, an aging version of the protocol which ‘killed’ three years ago by the POODLE vulnerability.
Roots Added
Root Name | Owner | Key | Signature | Expires |
Amazon Root CA 1 | Amazon | RSA 2048-bit | SHA-256 | Jan 17, 2038 |
Amazon Root CA 2 | Amazon | RSA 4096-bit | SHA-384 | May 26, 2040 |
Amazon Root CA 3 | Amazon | ECC 256-bit | ECDSA SHA-256 | May 26, 2040 |
Amazon Root CA 4 | Amazon | ECC 384-bit | ECDSA SHA-384 | May 26, 2040 |
LuxTrust Global Root 2 | LuxTrust | RSA 4096-bit | SHA-256 | Mar 5, 2035 |
AC RAIZ FNMT-RCM | Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) | RSA 4096-bit | SHA-256 | Dec 31, 2029 |
Note that the Starfield Class 2 Certification Authority root, which was previously owned by GoDaddy, was sold to and has been operated by Amazon since June 10th, 2015. This root has been trusted on Android for many versions. Amazon’s roots are cross-signed by this root certificate to enable trust on older devices.
Roots Removed
Root Name | Owner | Reason for Removal | Expires |
Buypass Class 2 CA 1 | Buypass | Expired | Oct 13, 2016 |
Juur-SK | AS Sertifitseerimiskeskuse (SK) | Expired | Aug 26, 2016 |
EBG Elektronik Sertifika Hizmet Sağlayıcısı | E-Tugra | Expired | Aug 14, 2016 |
IGC/A | Government of France (ANSSI, DCSSI) | CA requested removal | Oct 17, 2020 |
RSA Security 2048 V3 | RSA (EMC) | CA requested removal | Feb 22, 2026 |
Root CA Generalitat Valenciana | Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) | CA requested removal | July 1, 2021 |
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown