![20 Ransomware Statistics You’re Powerless to Resist Reading [Updated for 2024]](https://www.thesslstore.com/blog/wp-content/uploads/2022/05/ransomware-statisitcs-2024-feature-75x94.jpg)
![The Latest Quantum Computing & Cryptography News Round Up [September 2024 Edition]](https://www.thesslstore.com/blog/wp-content/uploads/2024/09/quantum-computing-news-feature2-75x94.jpg)
(No Ratings Yet)
Loading...Changes to Trusted Root Certificates in Mac OS Sierra and iOS 10
Apple’s Latest OS Trusts 165 Root Certificates.
Root Stores are a database of root certificates that a computer “trusts” as an issuer of SSL, Code Signing, and other X.509-standard certificates. This list of roots dictates what certificates your computer will automatically allow a connection with, or “trust.” Certificates originating from a root that is not on this list will have to be manually accepted, and are not practical for use on public websites or services.
These root certificates belong to Certificate Authorities (CAs), which consists of a wide range of organizations, including well-known cyber security companies like Symantec and Comodo, to regional providers and government offices. The average user will only interact with certificates from a handful of these providers. But their devices, and hundreds of millions of other devices around the world still trust these certificates, which is often criticized as a security risk.
Vendors either maintain their own root store, or use an existing one. These root stores often have policies for acceptance, which include yearly audits and compliance reports to show that the CAs are following industry requirements.
Microsoft and Apple maintain their own root stores for their operating systems. Mozilla also operates one used by its Firefox browser and many Linux distributions.
Operating Systems usually make changes to their trusted (and un-trusted) root certificates during major updates. Apple updates their trust store with every major release of Mac OS and iOS.
The newest version of Apple’s Mac OS operating system – Version 10.12, or “Sierra” – was released last week; and iOS 10 was released the week before that.
Oftentimes this means the trusted root store is growing on each and every release. However, with Sierra and iOS 10, Apple’s trust store has actually gotten smaller.
Here are some quick facts about Apple’s trust store:
- Mac OS and iOS trust 165 root certificates in total. This is 23 fewer total certificates than the previous version (in El Capitan). Only two new roots have been added. (Update: The ISRG Root, used by Let’s Encrypt, was added in a later update).
- Of the 165 root certificates, 152 use RSA keys and 13 use ECDSA keys. Of the RSA keys, 102 are 2048-bit and 50 are 4096-bit. Twelve of the ECDSA keys are 384-bit and one is 256-bit.
- Two root certificates expired before Sierra even released. A third is expiring this October. All all three of those CAs (AS Sertifitseerimiskeskus, E-Turga, and BuyPass) have other roots that will remain trusted for some time.
- On the other end, the longest-living root is owned by Certum and won’t expire until 2046. At least it uses a 4096-bit RSA key…
- UPDATE: TurkishCA TURKTRUST has announced that they will be suspending their SSL business as a result of not getting their new roots added to Apple’s store. Their current root will expire in December 0f 2017, giving them only one year until their certificates will become inoperable on Apple devices. It is well known within the CA/SSL industry that Apple’s CA program is one of the most difficult programs to work with.
Changes to Apple’s Root Store
These changes are in comparison to the root certificates that were included with the previous version of Mac OS, El Capitan (10.11). The full list of root certificates comes directly from Apple. The certificate data below is directly from these Apple support pages: Roots in Sierra and Roots in El Capitan (with the exception of the “EV Policy” column which has been simplified for formatting). iOS 10 has the same Root Store as Sierra.
Apple’s Root Store has three lists of certificates: Trusted, Always Ask, and Blocked. Always Ask certificates are “untrusted but not blocked. When one of these certificates is used, you’ll be prompted to choose whether or not to trust it.” Blocked certificates are entirely unusable. This latest update has made changes to all three lists.
Without further ado, here are the changes:
Trusted Root Certificates:
Added in Mac OS Sierra/iOS 10
| Certificate name | Issued by | Type | Key size | Sig alg | Serial number | Expires | EV policy |
| Certum Trusted Network CA 2 | Certum Trusted Network CA 2 | RSA | 4096 bits | SHA-512 | 21 D6 D0 4A 4F 25 0F C9 32 37 FC AA 5E 12 8D E9 | 08:39:56 Oct 6, 2046 | Yes |
| OISTE WISeKey Global Root GB CA | OISTE WISeKey Global Root GB CA | RSA | 2048 bits | SHA-256 | 76 B1 20 52 74 F0 85 87 46 B3 F8 23 1A F6 C2 C0 | 15:10:31 Dec 1, 2039 | Yes |
| ISRG Root X1 | ISRG Root X1 | RSA | 4096 bits | SHA-256 | 00 82 10 CF B0 D2 40 E3 59 44 63 E0 BB 63 82 8B 00 | 11:04:38 Jun 4, 2035 | No |
Notes: The ISRG Root (belonging to Let’s Encrypt) was added in an update in version 10.12.1
Certum has two “Certum Trusted Network CA 2” root certificates that are identical except for their serial number. In Sierra/iOS 10, one of these roots was swapped for the other. So while this specific certificate is an “addition,” it is not so in the traditional sense.
Removed in Mac OS Sierra/iOS 10
| Certificate name | Issued by | Type | Key size | Sig alg | Serial number | Expires | EV policy |
| A-Trust-nQual-01 | A-Trust-nQual-01 | RSA | 2048 bits | SHA-1 | 00 E2 42 | 23:00:00 Nov 30, 2014 | Not EV |
| A-Trust-nQual-03 | A-Trust-nQual-03 | RSA | 2048 bits | SHA-1 | 01 6C 1E | 22:00:00 Aug 17, 2015 | Not EV |
| A-Trust-Qual-01 | A-Trust-Qual-01 | RSA | 2048 bits | SHA-1 | 00 E2 43 | 23:00:00 Nov 30, 2014 | Not EV |
| A-Trust-Qual-02 | A-Trust-Qual-02 | RSA | 2048 bits | SHA-1 | 00 E2 48 | 23:00:00 Dec 2, 2014 | Not EV |
| AddTrust Qualified CA Root | AddTrust Qualified CA Root | RSA | 2048 bits | SHA-1 | 1 | 10:44:50 May 30, 2020 | Not EV |
| AddTrust Public CA Root | AddTrust Public CA Root | RSA | 2048 bits | SHA-1 | 1 | 10:41:50 May 30, 2020 | Not EV |
| AdminCA-CD-T01 | AdminCA-CD-T01 | RSA | 2048 bits | SHA-1 | 1 | 12:36:19 Jan 25, 2016 | Not EV |
| Application CA G2 | Application CA G2 | RSA | 2048 bits | SHA-1 | 31 | 14:59:59 Mar 31, 2016 | Not EV |
| Buypass Class 3 CA 1 | Buypass Class 3 CA 1 | RSA | 2048 bits | SHA-1 | 2 | 14:13:03 May 9, 2015 | Yes |
| CA Disig | CA Disig | RSA | 2048 bits | SHA-1 | 1 | 01:39:34 Mar 22, 2016 | Not EV |
| Certum Trusted Network CA 2 | Certum Trusted Network CA 2 | RSA | 4096 bits | SHA-512 | 00 B8 59 14 71 3F 57 DF 8F 31 C0 33 3D D2 D6 19 7A 23 17 B4 EB | 08:39:56 Oct 6, 2046 | Yes |
| NetLock Kozjegyzoi (Class A) Tanusitvanykiado | NetLock Kozjegyzoi (Class A) Tanusitvanykiado | RSA | 2048 bits | MD5 | 01 03 | 23:14:47 Feb 19, 2019 | Not EV |
| Secure Certificate Services | Secure Certificate Services | RSA | 2048 bits | SHA-1 | 1 | 23:59:59 Dec 31, 2028 | Not EV |
| Staat der Nederlanden Root CA | Staat der Nederlanden Root CA | RSA | 2048 bits | SHA-1 | 00 98 96 8A | 09:15:38 Dec 16, 2015 | Not EV |
| TC TrustCenter Class 2 CA II | TC TrustCenter Class 2 CA II | RSA | 2048 bits | SHA-1 | 2E 6A 00 01 00 02 1F D7 52 21 2C 11 5C 3B | 22:59:59 Dec 31, 2025 | Not EV |
| TC TrustCenter Class 3 CA II | TC TrustCenter Class 3 CA II | RSA | 2048 bits | SHA-1 | 4A 47 00 01 00 02 E5 A0 5D D6 3F 00 51 BF | 22:59:59 Dec 31, 2025 | Not EV |
| TC TrustCenter Class 4 CA II | TC TrustCenter Class 4 CA II | RSA | 2048 bits | SHA-1 | 05 C0 00 01 00 02 41 D0 06 0A 4D CE 75 10 | 22:59:59 Dec 31, 2025 | Not EV |
| TC TrustCenter Universal CA I | TC TrustCenter Universal CA I | RSA | 2048 bits | SHA-1 | 1D A2 00 01 00 02 EC B7 60 80 78 8D B6 06 | 22:59:59 Dec 31, 2025 | Not EV |
| TC TrustCenter Universal CA II | TC TrustCenter Universal CA II | RSA | 4096 bits | SHA-1 | 19 33 00 01 00 02 28 1A 9A 04 BC F2 55 45 | 22:59:59 Dec 31, 2030 | Not EV |
| TC TrustCenter Universal CA III | TC TrustCenter Universal CA III | RSA | 2048 bits | SHA-1 | 63 25 00 01 00 02 14 8D 33 15 02 E4 6C F4 | 23:59:59 Dec 31, 2029 | Yes |
| Trusted Certificate Services | Trusted Certificate Services | RSA | 2048 bits | SHA-1 | 1 | 23:59:59 Dec 31, 2028 | Not EV |
| TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı | TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı | RSA | 2048 bits | SHA-1 | 1 | 10:07:57 Sep 16, 2015 | Not EV |
| TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı | TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı | RSA | 2048 bits | SHA-1 | 1 | 10:27:17 Mar 22, 2015 | Not EV |
| VeriSign Class 4 Public Primary Certification Authority – G3 | VeriSign Class 4 Public Primary Certification Authority – G3 | RSA | 2048 bits | SHA-1 | 00 EC A0 A7 8B 6E 75 6A 01 CF C4 7C CC 2F 94 5E D7 | 23:59:59 Jul 16, 2036 | Not EV |
Notes: Certum has two “Certum Trusted Network CA 2” root certificates that are identical except for their serial number. In Sierra/iOS 10, one of these roots was swapped for the other. So while this specific certificate is a “removal,” it is not so in the traditional sense.
Always Ask Certificates
No certificates have been added here. A DigiNotar certificate was moved to the Blocked list.
Removed in Mac OS Sierra/iOS 10
| Certificate name | Issued by | Type | Key size | Sig alg | Serial number | Expires | EV policy |
| DigiNotar Root CA | DigiNotar Root CA | RSA | 4096 bits | SHA-1 | 0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C | 18:19:21 Mar 31, 2025 | Not EV |
Blocked Certificates
Added in Mac OS Sierra/iOS 10
| Certificate name | Issued by | Type | Key size | Sig alg | Serial number | Expires | EV policy |
| *.sslip.io | COMODO RSA Domain Validation Secure Server CA | RSA | 4096 bits | SHA-256 | 00 EC 60 FA FC A1 CA 06 AE E9 B7 36 48 0A 28 2F AA | 23:59:59 Aug 19, 2018 | Not EV |
| Class 3 Public Primary Certification Authority | Class 3 Public Primary Certification Authority | RSA | 1024 bits | SHA-1 | 3C 91 31 CB 1F F6 D0 1B 0E 9A B8 D0 44 BF 12 BE | 23:59:59 Aug 2, 2028 | Not EV |
| DigiNotar Root CA | DigiNotar Root CA | RSA | 4096 bits | SHA-1 | 00 E9 41 4E AA 63 E3 65 C4 0A 2F E3 FD 52 2E E2 99 | 16:27:01 May 14, 2027 | Not EV |
| DigiNotar Root CA | DigiNotar Root CA | RSA | 4096 bits | SHA-1 | 0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C | 18:19:21 Mar 31, 2025 | Not EV |
| Egypt Trust Class 3 Managed PKI Enterprise Administrator CA | VeriSign Class 3 Public Primary Certification Authority – G3 | RSA | 2048 bits | SHA-1 | 4C 00 36 1B E5 08 2B A9 AA CE 74 0A 05 3E FB 34 | 23:59:59 May 17, 2018 | Not EV |
| Egypt Trust Class 3 Managed PKI Operational Administrator CA | VeriSign Class 3 Public Primary Certification Authority – G3 | RSA | 2048 bits | SHA-1 | 3E 0C 9E 87 69 AA 95 5C EA 23 D8 45 9E D4 5B 51 | 23:59:59 May 17, 2018 | Not EV |
| Egypt Trust Class 3 Managed PKI SCO Administrator CA | VeriSign Class 3 Public Primary Certification Authority – G3 | RSA | 2048 bits | SHA-1 | 12 BD 26 A2 AE 33 C0 7F 24 7B 6A 58 69 F2 0A 76 | 23:59:59 May 17, 2018 | Not EV |
| The Walt Disney Company Root CA | Entrust.net Certification Authority (2048) | RSA | 2048 bits | SHA-1 | 4C 0E 84 56 | 22:22:12 Jan 16, 2019 | Not EV |
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown