Skip to content

kirei/catt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Certification Authority Trust Tracker

What is CATT?

CATT (Certification Authority Trust Tracker) is a collection of scripts and data to track which certification authorities are trusted by various root CA programs.

Publishing Trusted Root Certificates

The CATT project urge root certificate program managers to publish the following information:

  • All currently approved and trusted root certificates. The preferred publishing format is X.509 certificates encoded as PEM or DER, but other formats may be usable as well (e.g., Mozilla certdata as mentioned above). Note that publishing certificate fingerprints is not enough - we do need the actual certificate.

  • All currently approved and trusted Extended Validation OIDs together with each corresponding issuing CA fingerprint.

We strongly recommend that the data above is published at a stable long-term URL, in order to be able to fetch the data automatically.

Trust Sources

Apple

Root certificates extracted using extract-osx-trust.sh and and split into files using split-bundle.pl. EV OIDs extracted using extract-osx-ev-pl.

  • Root CA: /System/Library/Keychains/SystemRootCertificates.keychain
  • EV status: /System/Library/Keychains/EVRoots.plist

Apple publish a list of trusted root certificates for iOS, but as this list does not include full certificate data (including public keys) it cannot be used by CATT.

Mozilla

Root certificates fetched using mk-ca-bundle.pl and split into files using split-bundle.pl. EV OIDs extracted using extract-mozilla-ev.py.

More information:

Microsoft

Root certificate metadata is fetched using fetch-microsoft-authroot.sh, producing a JSON file called authroot.json. Actual root certificates fetched using the contents of the JSON file by fetch-microsoft-certs.sh. EV OIDs are not yet extracted.

A ancient snapshot of trusted root certificates can also be found in xfiles/microsoft-2012-12.xlsx.

Oracle Java SE

Root certificates extracted from the Java keystore using extract-java-trust.pl.

About

Certification Authority Trust Tracker

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •