{"id":17928,"date":"2024-07-30T09:00:00","date_gmt":"2024-07-30T13:00:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=17928"},"modified":"2024-07-30T07:40:44","modified_gmt":"2024-07-30T11:40:44","slug":"what-is-a-certificate-authority-list-and-where-can-i-find-one","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/what-is-a-certificate-authority-list-and-where-can-i-find-one\/","title":{"rendered":"What Is a Certificate Authority List and Where Can I Find One?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">PKI industry expert<a> <\/a><a href=\"https:\/\/x.com\/rmhrisk\/status\/1721329896746848353\">Ryan Hurst<\/a> estimates that there are around 85 CAs, a little more than a handful of which \u201caccount for 99% of all certificate issuance on the web.\u201d Do you know who these CAs are or where to find a list of root certificate authorities?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Publicly trusted certificate authorities (CAs) make sending and receiving data securely over the Internet possible. A certificate authority list is a compilation of these entities\u2019 trusted roots and typically includes commercial names like <a href=\"https:\/\/www.digicert.com\/\">DigiCert<\/a>, <a href=\"https:\/\/www.sectigo.com\/\">Sectigo<\/a>, and government entities such as the <a href=\"https:\/\/www.idmanagement.gov\/fpki\/\">U.S. Federated Public Key Infrastructure (US FPKI)<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But where do you find a <strong>certificate authority list<\/strong>? How and what are they used for? We\u2019ll start by exploring individual lists of trusted certificate authorities and then wrap things up by answering these and other frequently asked questions (FAQs).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\">3 Common Certificate Authority Lists (and Where to Find Them)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Wondering what a list of trusted <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-certificate-authority-ca-and-what-do-they-do\/\">certificate authorities<\/a> looks like and where to find them? Let\u2019s start with exploring where to find three of the most common.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Certificate Authority List #1: Chrome Root Store<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Another popular list of certificate authorities is operated by Google\u2019s Chromium Project. The Google Root Store, guided by the <a href=\"https:\/\/www.chromium.org\/Home\/chromium-security\/root-ca-policy\/\">Chrome Root Program Policy<\/a>, has a list of active CAs that Google trusts for connections in its Chrome browser.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/g.co\/chrome\/root-store\">Google Root Store<\/a> is currently on version 16 as of the writing of this article:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"654\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/google-root-store-example-shadow-1024x654.jpg\" alt=\"A sample of the CA certificates included in Google Chrome\" class=\"wp-image-17929\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/google-root-store-example-shadow-1024x654.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/google-root-store-example-shadow-300x192.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/google-root-store-example-shadow-768x491.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/google-root-store-example-shadow.jpg 1415w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A snippet of Google\u2019s Root Store information that\u2019s available in its Chrome browser.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">But where can you find that info in your Chrome browser?<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open a new window in your Chrome web client.<\/li>\n\n\n\n<li>Navigate to <strong>chrome:\/\/system<\/strong>.<\/li>\n\n\n\n<li>Hit the <strong>Expand<\/strong> button next to <em>chrome_root_store<\/em> in the left-hand column (as shown in the screenshot below).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"654\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/chrome-root-store-in-browser-shadow-1024x654.png\" alt=\"A screenshot showing where to access the Chrome root store in the Google Chrome browser. \" class=\"wp-image-17930\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/chrome-root-store-in-browser-shadow-1024x654.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/chrome-root-store-in-browser-shadow-300x192.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/chrome-root-store-in-browser-shadow-768x490.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/chrome-root-store-in-browser-shadow.png 1356w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">There, you\u2019ll see a complete list of all the CAs Google trusts along with their hash values.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Certificate Authority List #2: Mozilla Root Store<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Next, let\u2019s take a quick look at <a href=\"https:\/\/ccadb.my.salesforce-sites.com\/mozilla\/CACertificatesInFirefoxReport\">Mozilla\u2019s Root Store for its Firefox browser<\/a>. This root store includes a list of CA Owners and their specific root certificates. You have multiple options for actions you can take for individual root CAs listed: view, import, export, edit trust, delete or distrust.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The list of certificate authorities trusted by Mozilla is available through the Firefox browser and is maintained in adherence with the <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/\">Mozilla Root Store Policy<\/a>. You can find it by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigating to <strong>Settings<\/strong> in the main menu.<\/li>\n\n\n\n<li>Selecting <strong>Privacy and Security<\/strong> in the left-hand navigation bar.<\/li>\n\n\n\n<li>Scrolling down to <strong>Security<\/strong> and finding the sub-section labeled \u201cCertificates.\u201d<\/li>\n\n\n\n<li>Click <strong>View Certificates<\/strong> and select the <strong>Authorities<\/strong> tab.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"672\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/mozilla-firefox-root-store-example-shadow-1024x672.jpg\" alt=\"A snippet of the list of the certificate authorities trusted by Mozilla for SSL\/TLS. \" class=\"wp-image-17931\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/mozilla-firefox-root-store-example-shadow-1024x672.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/mozilla-firefox-root-store-example-shadow-300x197.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/mozilla-firefox-root-store-example-shadow-768x504.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/mozilla-firefox-root-store-example-shadow.jpg 1450w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A screenshot of Mozilla\u2019s Certificate Manager for the Mozilla Root Store that\u2019s available in its Firefox browser.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You also can access Mozilla\u2019s Included <a href=\"https:\/\/wiki.mozilla.org\/CA\/Included_Certificates\">CA Certificate List through the Mozilla Wiki page<\/a>, which includes .txt and .csv files of both TLS and non-TLS use cases.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Certificate Authority List #3: Windows<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Looking for a list of certificate authorities trusted by Microsoft? You can find the <a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/trusted-root\/participants-list\">Microsoft Trusted Root Program<\/a> on the Microsoft website. (This is what Windows OSes and the Microsoft Edge browser use.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re a Windows user, you can look at your machine\u2019s operating system (OS) to see the list for yourself:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click on the <strong>Start<\/strong> menu.<\/li>\n\n\n\n<li>Type <strong>MMC<\/strong> into your run bar.<\/li>\n\n\n\n<li>Select <strong>Run as Administrator<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This will pull up your MMC Console, where you can add the <strong>Certificates Snap-In<\/strong> and view the trusted CAs listed there. Here\u2019s a quick screenshot example of the list of trusted certificate authorities you\u2019ll find when you access the MMC Console this way:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trusted-root-ca-certificates-example-mmc-shadow-1024x554.jpg\" alt=\"The MMC console displays certificates trusted by Microsoft's Trusted Root Program. \" class=\"wp-image-17932\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trusted-root-ca-certificates-example-mmc-shadow-1024x554.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trusted-root-ca-certificates-example-mmc-shadow-300x162.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trusted-root-ca-certificates-example-mmc-shadow-768x416.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trusted-root-ca-certificates-example-mmc-shadow.jpg 1317w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A screenshot from the MMC console that shows the list of Trusted Root Certificate Authorities on my Windows 10 device.<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Where to Find Other Certificate Authority Lists<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">These three lists aren\u2019t the only ones available. The certificate authorities that own and operate the root CAs also typically host lists of their certificate authorities on their websites. For example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DigiCert\u2019s <a href=\"https:\/\/www.digicert.com\/kb\/digicert-root-certificates.htm\">DigiCert\u2019s Root and Intermediate Certificates List<\/a><ul><li>QuoVadis\u2019 List of <a href=\"https:\/\/www.quovadisglobal.com\/download-roots-crl\/\">Root and Issuing Certificate Authorities<\/a><\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>Thawte\u2019s <a href=\"https:\/\/www.thawte.com\/roots\/\">List of Root Certificate Authorities<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>GlobalSign\u2019s <a href=\"https:\/\/support.globalsign.com\/ca-certificates\/root-certificates\/globalsign-root-certificates\">Root Certificates List<\/a> and <a href=\"https:\/\/support.globalsign.com\/ca-certificates\/intermediate-certificates\">Intermediate CA Certificates List<\/a>&nbsp;<\/li>\n\n\n\n<li>Sectigo\u2019s List of <a href=\"https:\/\/www.sectigo.com\/resource-library\/sectigo-root-intermediate-certificate-files\">Root and Intermediate Certificate Authorities<\/a><\/li>\n\n\n\n<li>U.S. Department of the Treasury\u2019s <a href=\"https:\/\/pki.treas.gov\/crl_certs.htm\">CRLs and Certificates List<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">There are also third parties that host lists of root CAs they trust for their software applications and other systems. Some examples of these other certificate authority lists include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/support.apple.com\/en-us\/103272\">Apple Trust Store<\/a> (current and past lists)<\/li>\n\n\n\n<li><a href=\"https:\/\/helpx.adobe.com\/acrobat\/kb\/approved-trust-list1.html\">Adobe Approved Trust List<\/a><\/li>\n\n\n\n<li>CheckTLS\u2019s <a href=\"https:\/\/www.checktls.com\/showcas.html\">Trusted Root Certificate Authority List<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32014R0910&amp;from=EN\">eIDAS List of Trusted Lists<\/a><\/li>\n\n\n\n<li>MATTER\u2019s Distributed Compliance Ledger (DCL)<\/li>\n\n\n\n<li>PKI Consortium\u2019s <a href=\"https:\/\/pkic.org\/ltl\/\">List of Trust Lists<\/a><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"685\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/matter-dcl-sample-shadow-1024x685.png\" alt=\"A screenshot of the MATTER DCL list of certificate authorities\" class=\"wp-image-17933\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/matter-dcl-sample-shadow-1024x685.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/matter-dcl-sample-shadow-300x200.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/matter-dcl-sample-shadow-768x514.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/matter-dcl-sample-shadow.png 1254w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A sample from MATTER\u2019S DCL list of approved certificates that can be used to issue certificates to secure consumer home smart devices. <\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">3 Tools You Can Use to Put Certificate Authority Lists to Work<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, let\u2019s assume you\u2019ve got access to these lists now. So, how can you use them?<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Mozilla Certdata<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">An app like <a href=\"https:\/\/github.com\/crtsh\/root_programs\/tree\/master\/mozilla_certdata\">mozilla_certdata<\/a> parses Mozilla\u2019s source <em>certdata.txt<\/em> file for such root CA information while considering trust records. However, that\u2019s not always ideal because of some of the previously mentioned concerns.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Certifi<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">You can also use a tool like <a href=\"https:\/\/certifi.io\/\">Certifi<\/a>, a software library that simplifies extracting CA bundle data (i.e., root and intermediate CAs) from Mozilla\u2019s Included CA Certificate List. It has packages that work with multiple languages, such as Python, Ruby, Golang (Go), etc. This makes verifying CA certs against Mozilla\u2019s list easier.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">MKCert API<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/mkcert.org\/\">MKcert<\/a> is another potentially useful tool that pulls and parses Mozilla\u2019s trusted list. However, this open-source tool is different in that it allows you to use an API to determine which CAs you want to trust (not just blindly by whatever Mozilla or other browsers say) and download trust files that include your specified CAs. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now you know where to find all of these independent lists and what tools you can employ to use them. But isn\u2019t there a comprehensive single resource that can provide you with a list of certificate authorities in one place? We\u2019ve got you covered.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Common CA Database (CCADB): The Holy Grail of CA Lists<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/ccadb.org\/\">Common CA Database<\/a> is a one-stop resource for Root Store operators like Microsoft, Mozilla, and Google. It\u2019s a centralized repository where CAs like DigiCert, Sectigo, Visa, Amazon, and others can publish information about their root CAs to ensure those Root Store operators get consistent, current, and accurate information.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tracking down each CA\u2019s root and ICA certificate information would be annoying and tedious. To simplify this process, the CAs share their lists with this centralized repository. This makes the CCADB the most comprehensive list of certificate authorities out there, as it even includes a list of revoked CAs as well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Part of the CCADB Policy\u2019s General Provisions states that CA Owners must keep the information for their organizations, root CA and subordinate CA certificates current. You can <a href=\"https:\/\/www.ccadb.org\/resources\">view the CA certificates<\/a> used in Microsoft\u2019s and Mozilla\u2019s Root Stores in the CCADB.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"659\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/all-certificate-records-report-sample-shadow-1024x659.png\" alt=\"A screenshot of a list of intermediate CA certificates that are included in the Common CA Database (CCADB).\" class=\"wp-image-17934\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/all-certificate-records-report-sample-shadow-1024x659.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/all-certificate-records-report-sample-shadow-300x193.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/all-certificate-records-report-sample-shadow-768x494.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/all-certificate-records-report-sample-shadow.png 1242w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A sample of some of the CA intermediate certificates listed in the Common CA Database.<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">How Many CAs Are Involved in the CCADB?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As far as I can tell, virtually all of them. The CCADB includes any CAs with roots or intermediate CAs included in the lists of several notable Root Store operators (think Apple, Google Chrome, Microsoft, and Mozilla Firefox).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For example, <a href=\"https:\/\/www.apple.com\/certificateauthority\/ca_program.html\">section 2.1.1 of Apple\u2019s Root Certificate Program Policy Requirements<\/a> states: \u201cEffective April 1, 2022, CA providers must disclose in the CCADB all CA&nbsp;Certificates which chain up to their CA&nbsp;Certificate(s) included in the Apple Root Program.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can download the \u201cAll Certificate Records Report\u201d list (a snippet of which is pictured above) of the 8,600+ intermediate and root CA certificates that have been submitted to the CCADB. Just keep in mind that this list includes a mix of revoked and non-revoked trust chain certificates. So be careful about how you use this information.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Certificate Authority List Use Cases<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we know what these different lists of certificate authorities are and where to find them, it\u2019s time to explore what to do with them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Who Typically Uses These Lists and Why?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Technically, anyone can access lists of certificate authorities online. Each CA typically has a list(s) of individual <a href=\"https:\/\/www.thesslstore.com\/blog\/root-certificates-intermediate\/\">roots and\/or intermediate certificates<\/a> that it publishes on its website. (We\u2019ll explore examples of those lists a little later in the FAQs section.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These lists are handy for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Researchers who use the data for their studies and analyses.<\/li>\n\n\n\n<li>Software developers who use them to create apps that interact with WebPKI and specific device operating systems.<\/li>\n\n\n\n<li>PKI engineers and IT admins who need to ensure their software apps and network are using valid certificates (or if they need to import them).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Where Can You Use These Lists?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Certificate authority roots should be included in all hardware and software applications that support or rely on them. This includes your browsers, operating systems, web clients, and more.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Warning: Use the Right List for the Right Task<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Are certificate authority lists one-size-fits-all solutions? No. Use the appropriate root CAs for their intended uses. Otherwise, things aren\u2019t going to end well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is why, in addition to the all-encompassing list that includes all root and intermediate CAs, the CCADB also provided more targeted lists geared for specific purposes. For example, the <a href=\"https:\/\/www.ccadb.org\/resources\">CCADB Resources<\/a> page includes the following lists:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Code Signing Root CAs:<\/strong> These lists are curated for the express purpose of providing trusted certificates for code signing use cases.<\/li>\n\n\n\n<li><strong>Email (S\/MIME) Root CAs:<\/strong> This list is intended to verify certificates that are used for email digital signatures and encryption. An example is Google\u2019s <a href=\"https:\/\/support.google.com\/a\/answer\/7448393?hl=en\">List of Trusted Certificate Authorities for S\/MIME<\/a>.<\/li>\n\n\n\n<li><strong>Server Authentication Root CAs: <\/strong>This list is intended for use for SSL\/TLS authentication in the SSL\/TLS handshake process in order to establish secure, encrypted connections.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">CA Lists Aren\u2019t Meant for Cross Purposes<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Why does it matter whether you\u2019re using S\/MIME roots or Server Authentication roots? According to Mozilla, <a href=\"https:\/\/blog.mozilla.org\/security\/2021\/05\/10\/beware-of-applications-misusing-root-stores\/#misuse-of-root-stores:~:text=Misuse%20of%20Root%20Stores\">root store misuse is a big concern<\/a> for several key reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Each CA on a specific list is evaluated based on set criteria for its specific usage.<\/strong> For example, S\/MIME roots have different procedures, controls, and audit criteria from those for SSL\/TLS and code signing. This means you\u2019ll be using the root certificates for unintended purposes.&nbsp;<\/li>\n\n\n\n<li><strong>Using a root store list for unintended purposes leaves you vulnerable.<\/strong> Mozilla describes misusing root stores as being \u201cno different than failing to validate a certificate at all.\u201d<\/li>\n\n\n\n<li><strong>You may wind up trusting untrusted CAs. <\/strong>If an app developer tries to use scripts to parse data and may inadvertently end up trusting certificates that haven\u2019t been assessed or have been explicitly distrusted. Either way, it\u2019s bad news.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Mozilla instead <a href=\"https:\/\/blog.mozilla.org\/security\/2021\/05\/10\/beware-of-applications-misusing-root-stores\/#misuse-of-root-stores:~:text=Application%20developers%20must%20pay%20attention%20to%20which%20Root%20Store%20to%20use\">recommends using the certificate lists provided by the&nbsp;CCADB<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cWe strongly encourage application developers to ensure that the list of root certificates that they are using in their applications have been curated for their use case. Additionally, application developers should only use the Mozilla\/NSS root store for TLS or S\/MIME by using the links provided on the&nbsp;<\/em><a href=\"https:\/\/www.ccadb.org\/resources\"><em>CCADB Resources page<\/em><\/a><em>&nbsp;that list the certificates in the Mozilla\/NSS root store according to the trust bits (key usage) they are curated for.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">In summary: <strong>If you\u2019re going to use one of these lists, be sure to only do so for that specific list\u2019s intended uses and applications.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions (FAQs) About Lists of Certificate Authorities<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now, some of you might be new to Hashed Out or may have found this article because you\u2019re trying to learn what a certificate authority list is and how it\u2019s used. Knowing this, let\u2019s answer some common questions people ask about certificate authority lists.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What Is a Certificate Authority List?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A certificate authority list is a roster of publicly trusted root certificate authorities that help form the \u201cchain of trust\u201d that companies rely on to secure public and\/or private networks. They sign the issuing CAs that provide digital certificates that make authentication, encryption, and data integrity protection possible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Root CAs are the MVPs of data security on the internet because, without them, there wouldn\u2019t be secure connections on open networks. &nbsp;We\u2019d still be still holding clandestine face-to-face meetings to exchange private keys to exchange encrypted data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Web browsers, operating systems, software applications, and many other systems use lists of certificate authorities to verify whether certificates are trusted and can be relied on for validation.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Do Certificate Authority Lists Contain Info on Private CAs?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Typically, when someone refers to a certificate authority list, they\u2019re talking about publicly trusted root CAs. I\u2019ve talked about <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-become-a-certificate-authority\/\">public and private CAs<\/a> before, but to quickly recap:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Publicly trusted CAs provide endpoint certificates that enable you to trust third-party website connections, apps, and emails.<\/li>\n\n\n\n<li>Private CAs allow you to issue certificates for trusted devices, users, files, apps, services, and emails within your network.<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:927.562px;--tl-form-height-t:999.781px;--tl-form-height-d:999.781px;\" class=\"tl-placeholder-f-type-shortcode_17591 tl-preload-form\"><span><\/span><\/span>\n\n\n<p class=\"wp-block-paragraph\">There\u2019s no reason or way to track private CAs \u2014 it\u2019s virtually impossible, impractical, and unnecessary since they\u2019re not used publicly. But organizations should have internal systems in place to track their lists of their private PKI certificate authorities (roots and ICAs alike) as well.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What Comprises a Certificate Authority List?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A certificate authority list is an inventory of root CAs and, sometimes, the intermediate CA (ICA) certificates that \u201cchain\u201d back to them. (More on <a href=\"#root-and-intermediate-cas\">root and intermediate CAs<\/a> a little later.) Together with endpoint certificates, these entities form what\u2019s known as the <a href=\"https:\/\/www.thesslstore.com\/knowledgebase\/ssl-support\/explaining-the-chain-of-trust\/\">Chain of Trust<\/a> or PKI Trust Chain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Each list of certificate authorities varies; some are relatively comprehensive, while others are pretty basic. But these lists typically the entries include some or all of the following information:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The names of each certificate authority<\/li>\n\n\n\n<li>Categorization as a root or intermediate CA<\/li>\n\n\n\n<li>Certificate validity dates<\/li>\n\n\n\n<li>Serial numbers for the certificates<\/li>\n\n\n\n<li>SHA1 and SHA-256 fingerprints<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Who Maintains These Lists?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Many individual lists of certificate authorities are maintained by the CAs themselves, while others are maintained by separate groups that trust different certificate providers (i.e., Trust Stores).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">In Which Formats Are CA Lists Available?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">These lists are typically a privacy-enhanced message (PEM) that\u2019s available in either a <strong>.txt<\/strong> or <strong>.csv<\/strong> file format. These files typically contain a bunch of gibberish-looking data book-ended between header and footer messages (e.g., <em>&#8212;&#8211;BEGIN CERTIFICATE&#8212;&#8211;<\/em>&nbsp;and&nbsp;<em>&#8212;&#8211;END CERTIFICATE&#8212;&#8211;<\/em>), much like you see when you complete a certificate signing request (CSR).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What Qualifies a CA for Inclusion in a Certificate Authority List?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For inclusion in specific Stores\u2019 lists of trusted certificate authorities, the answer depends on the provider. For example, <a href=\"https:\/\/www.chromium.org\/Home\/chromium-security\/root-ca-policy\/\">Google Chrome\u2019s Root Program Policy<\/a> states that CA certificates must meet certain qualifiers to be included in its Root Store:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cThe selection and ongoing inclusion of CA certificates is done to enhance the security of Chrome and promote interoperability. CA certificates that do not provide a broad service to all browser users will not be added to, or may be removed from the Chrome Root Store. CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Regarding CCADB participation, CA Owners may be required to submit their information to the database by the policy requirements of Trust Stores such as Chrome or Firefox. The database contains a comprehensive record of both root and intermediate certificate authorities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How Often Are These Lists Updated?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The answer varies. For example, the <a href=\"https:\/\/www.ccadb.org\/policy\">CCADB\u2019s Policy<\/a> specifies that a CA must update its subordinate CA information within seven calendar days if a certificate is revoked or there are other changes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regarding the root certificates, Trust Store Operators must first verify data before a <a href=\"https:\/\/www.ccadb.org\/cas\/updates\">root CA can be changed or revoked<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"root-and-intermediate-cas\">What Are Intermediate and Root CAs?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Root CAs are at the heart of <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-pki-a-crash-course-on-public-key-infrastructure-pki\/\">public key infrastructure<\/a>. Without them, it simply wouldn\u2019t exist. ICAs serve as a buffer between those roots and the endpoint certificates you use to secure your website, users, devices, etc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A root CA issues an ICA, which then issues endpoint certificates. This process creates a crucial layer of separation between the root and the endpoint entities you install on web servers and other devices.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s consider the SSL\/TLS certificate we use here at TheSSLStore.com to secure our website:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"437\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/root-ca-intermediate-ca-endpoint-certificate-shadow-1024x437.jpg\" alt=\"A compilation of 3 screenshots showing the certificate relationships within a trust chain\" class=\"wp-image-17935\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/root-ca-intermediate-ca-endpoint-certificate-shadow-1024x437.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/root-ca-intermediate-ca-endpoint-certificate-shadow-300x128.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/root-ca-intermediate-ca-endpoint-certificate-shadow-768x328.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/root-ca-intermediate-ca-endpoint-certificate-shadow-1536x655.jpg 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/root-ca-intermediate-ca-endpoint-certificate-shadow.jpg 1664w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A series of screenshots from a digital certificate that shows the root CA (left), intermediate CA (middle), and end entity certificate (right).<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In this case, the certificate on our site (labeled thesslstore.com) \u201cchains\u201d back to the intermediate CA certificate (DigiCert EV RSA CA 02) that issued it. That subordinate CA then \u201cchains\u201d back the root CA (DigiCert Global Root 52) that digitally signed it. The following screenshot illustrates this so-called \u201cChain of Trust\u201d:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s a breakdown of how this hierarchical relationship works and which certificate is responsible for signing each component of the trust chain:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"365\" height=\"341\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trust-chain-path-example.png\" alt=\"Chain of trust (i.e., trust chain, certificate trust chain, certificate chain of trust, etc.) example \" class=\"wp-image-17936\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trust-chain-path-example.png 365w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/trust-chain-path-example-300x280.png 300w\" sizes=\"auto, (max-width: 365px) 100vw, 365px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: An illustration that shows the relationships between the CAs in a trust certificate hierarchy.<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">How Often Are Intermediates and Roots Created &amp; Updated?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The answers vary based on the CA. I reached out to <a href=\"https:\/\/www.digicert.com\/blog\/author\/corey-bonnell\">Corey Bonnell<\/a>, Industry Technology Strategist at <a href=\"https:\/\/www.digicert.com\/\">DigiCert<\/a> for more specifics:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cGenerally, new roots are created every few years before the expiration of existing root certificates to ensure that new roots gain ubiquity prior to being used for issuance. The frequency of issuance for intermediates varies between CAs. For some smaller CAs, intermediate CA creation might be done less than once a year, whereas for larger CAs (such as DigiCert), new intermediates are created every week.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Interesting. So, are there any specific industry requirements or limitations impacting this? Bonnell says not now, but that may change in the future:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cThe CA\/Browser Forum currently has no policies on root\/intermediate CA creation frequency, but several browser root program representatives have stated that they intend to limit the period where specific root certificates are trusted. When formal policies are put in place that restrict the lifetime, the frequency of root CA creation will increase.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">Shorter ICA Lifespans = Reduced Exposure Risks<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The idea is that shortening an ICA\u2019s lifecycle means better security, as there is less exposure in the event of a key compromise.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In one sense, that\u2019s true. The thought is that by having shorter ICA lifespans, you reduce the extent of the damage you\u2019d suffer from said compromise because its private key wouldn\u2019t be in use as long. However, the reality is that it doesn\u2019t matter whether your ICA is valid for a few months or three years \u2014 if it gets compromised, there will be repercussions regardless.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The only way to ensure that your ICA (or any digital certificate, for that matter) doesn\u2019t become compromised is to properly secure your network and servers and adhere to private key and certificate management industry standards and best practices. For example, safeguard your private keys by storing them securely using <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-hardware-security-module-hsms-explained\/\">hardware security modules (HSMs)<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Bonnell suggests that the impact of ICA compromises can be reduced by implementing \u201crobust key destruction or archiving controls\u201d for CA keys. We\u2019ve seen an industry move toward shortening the lifespan of ICA keys. For example, the CA\/B Forum\u2019s <a href=\"https:\/\/cabforum.org\/2024\/07\/01\/ballots-csc-25-and-csc-26\/#csc-26\">Code Signing Working Group (CGCWG) draft ballot (CSC-26)<\/a> aims to require CAs to destroy or archive Timestamp Authority (TSA) private keys after 18 months.<\/p>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-notice is-variation-info has-icon\" data-type=\"info\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"><\/circle><line x1=\"12\" y1=\"16\" x2=\"12\" y2=\"12\"><\/line><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"8\"><\/line><\/svg><p class=\"wp-block-advanced-gutenberg-blocks-notice__title\">Want to Learn More?<\/p><p class=\"wp-block-advanced-gutenberg-blocks-notice__content\"><strong>Related<\/strong>: <a href=\"https:\/\/www.thesslstore.com\/blog\/pki-management-private-key-certificate-lifecycle-management-best-practices\/\">PKI Management: Private Key &amp; Certificate Lifecycle Management Best Practices<\/a><\/p><\/div>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n<h3 class=\"wp-block-heading\">What\u2019s the Difference Between a Certificate Authority List and a Certificate Revocation List?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Is a certificate authority list the same as a <a href=\"https:\/\/www.thesslstore.com\/blog\/crl-explained-what-is-a-certificate-revocation-list\/\">certificate revocation list (CRL)<\/a>? No. Although both have the words \u201ccertificate\u201d and \u201clist\u201d in their names, these lists serve different purposes.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>certificate authority list<\/strong> is generally a centralized log of entities that form the trust chains publicly trusted endpoint certificates rely on.<\/li>\n\n\n\n<li>A <strong>CRL<\/strong> is a list of certificates that have been revoked by those CAs prior to their expiration dates. (This can include endpoint certificates and ICAs but not roots.) This is something that gets shared with a user\u2019s connecting browser. Each publicly trusted CA must <a href=\"https:\/\/cabforum.org\/2023\/07\/14\/ballot-sc-063-v4-make-ocsp-optional-require-crls-and-incentivize-automation\/\">host its own certificate revocation list<\/a>, making the <a href=\"https:\/\/www.thesslstore.com\/blog\/ocsp-vs-crl-what-each-is-why-browsers-prefer-one-over-the-other\/\">online certificate status protocol (OCSP)<\/a> revocation indicator method optional.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><em>How do you use certificate authority lists within your development processes and network? Share your thoughts in the comments below.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PKI industry expert Ryan Hurst estimates that there are around 85 CAs, a little more than a handful of which \u201caccount for 99% of all certificate issuance on the web.\u201d&#8230;<\/p>\n","protected":false},"author":17,"featured_media":17938,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[13285],"class_list":["post-17928","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-certificate-authority-list","post-with-tags"],"views":9414,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/07\/certificate-authority-list-feature-v2.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/17928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=17928"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/17928\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/17938"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=17928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=17928"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=17928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}