Mozilla CA Certificate List (Unofficial)

This is a unofficial working document maintained in connection with evaluating CA requests to have certificates pre-loaded into Firefox and related Mozilla-based software. This document reflects the personal knowledge and opinions of the author; it is not an official publication of the Mozilla Foundation. The document is also incomplete: in particular, it does not contain information on "legacy" CAs already pre-loaded into Mozilla-based software prior to Firefox 1.0.

Please post comments, questions, and corrections to the newsgroup or the corresponding dev-tech-crypto mailing list, or send them to the document author, Frank Hecker.

When distributing Mozilla and related software the Mozilla Foundation includes with such software a default set of X.509v3 certificates for various Certification Authorities (CAs). The certificates included by default are marked as being "trusted" for various purposes, so that Mozilla can use them automatically to verify certificates for SSL servers, S/MIME email users, etc., without having to ask Mozilla users for further permission or information.

The table below provides information about CAs whose certificates are included in Mozilla, including

CA Status Related Bugs Documents Audits Certificate(s) Trusted for CRL(s) OCSP Service URL(s) and Signer Certificate
ACCV Pending 274100 To be provided? ACCV Root CA All? ACCV Root CA CRL (OCSP service certificate
CAcert Pending 215243 To be provided? CAcert Root CA All CAcert Root CA CRL
Camerfirma Approved 261778, 275576 Chambers of Commerce Root CA All Chambers of Commerce Root CA CRL (subrdinate CAs: AC Camerfirma Express Corporate Server CA CRL, AC Camerfirma Certificados Camerales CA CRL)
Global Chambersign CA All Global Chambersign Root CA CRL (subordinate CAs: AC Camerfirma CA CRL, RACER CA CRL)
Certipost E-Trust Pending 239488 TBD TBD TBD TBD TBD
Comodo Approved 249710, 252132 WebTrust Audit Report and Management Assertions AAACertificateServices All AAACertificateServices CRL Not supported
SecureCertificateServices All SecureCertificateServices CRL
TrustedCertificateServices All TrustedCertificateServices CRL
DFN-PCA (part of DFN-CERT) Pending 239485 DFN-PCA: World Wide Web Policy (combined Certificate Policy and CPS, available in German only) Not independently audited (?) DFN Top-Level CA All? (To be supplied) Not supported (?)
Deutscher Sparkassen Verlag GmbH (DSV) / S-TRUST Pending 295756 TBD Not independently audited (?) (To be supplied) All? (To be supplied) Not supported (?)
DIGICERT Sdn Bhd (Malaysia) Pending 304736 Audit status unknown Class 1 Root CA SSL (?), S/MIME ? ?
Class 2 Root CA SSL, S/MIME ? ?
DigiNotar Pending ?????? Certificate of compliance with ETSI TS 101 456 (audited by PriceWaterhouseCoopers) Root CA All TBD TBD
ESnet Pending 250351 Not independently audited (?) ESnet Root CA All ESnet Root CA CRL Not supported (?)
Firmaprofesional Approved 342426, 343662 Informe de Auditoría Independentiente a los Administradores de Firmaprofesional SA (WebTrust audit report, available in Spanish only) CA Raíz (Root CA) All? CA Raíz (Root CA) CRL Not supported (?)
GeoTrust (add new roots) Approved 294916, 347883 WebTrust audit report and management assertions (audited by Ernst & Young) Universal CA All Geotrust CRLs Not at present
Global CA2 All
Universal CA2 All
G-CA Pending TBD ? ? ? SSL, S/MIME? ? ?
Go Daddy Approved 284677, 287495 WebTrust for CAs Independent Accountants' Report and Management Assertions Go Daddy Class 2 CA All Not yet operational TBD
Starfield Class 2 CA All Not yet operational
GRCA Approved 274106, 341022 GRCA WebTrust audit report GRCA All GRCA CRL Not supported (?)
ipsCA Approved 232695, 244982 WebTrust Spain Independent Audit Report (Spanish only) IPS Servidores SSL, S/MIME IPS Servidores CRL Not supported (?)
ips CAC All ips CAC CRL (not yet operational)
ips CLASE1 All ips CLASE1 CRL (not yet operational)
ips CLASE3 All ips CLASE3 CRL (not yet operational)
ips CLASEA1 All ips CLASEA1 CRL (not yet operational)
ips CLASEA3 All ips CLASEA3 CRL (not yet operational)
ips Timestamping All ips Timestamping CRL (not yet operational)
Korea Information Security Agency (KISA) Pending 335197 TBD RSA1 All? RSA1 CRL TBD
Wireless RSA All? Wireless RSA CRL
Microsec Ltd Pending 308546 TBD TBD TBD TBD TBD TBD
NetLock Approved 279728, 280744 "Independent Professional Certificate Authority (Technical and Procedural) Control Report", by Ernst & Young (pages 1, 2, and 3 scanned from paper originals) NetLock Qualified (Class QA) Root CA S/MIME, object signing NetLock Qualified (Class QA) Root CA CRL Not supported
NetLock Notary (Class A) Root CA All NetLock Notary (Class A) Root CA CRL
NetLock Business (Class B) Root CA All NetLock Business (Class B) Root CA CRL
NetLock Express (Class C) Root CA All NetLock Express (Class C) Root CA CRL
QuoVadis Approved (Root CA only) 238381, 261375 QuoVadis Root Ca All QuoVadis Root CRL Not supported
QuoVadis Issuing CA 2 All QuoVadis ICA2 CRL
SECOM Approved (Security Communication RootCA1 only) 260259, 261379 WebTrust Audit Report and Management's Assertions SECOM Root1 CA All SECOM Root1 CRL Not supported
Security Communication RootCA1 All Security Communication RootCA1 CRL Not supported
SecureNet Certificates Pending 270682 Listed in the WebTrust sites with seals list SecureNet Class B CA All? SecureNet Class B CRL Not supported?
Sonera Approved 260484, 261373 WebTrust Audit Report and Management Assertions Sonera Class 1 CA S/MIME Sonera Class 1 CRL Not supported
Sonera Class 2 CA All Sonera Class 2 CRL
Staat der Nederlanden Approved 243424, 261374 WebTrust Audit Report and Management Assertions Staat der Nederlanden Root CA All Not supported
StartCom Approved 289077, 338552 Independent Audit Report, December 14, 2005, by We! Consulting Group StartCom Root CA SSL, S/MIME StartCom Root CA CRL (intermediate CA CRLs are also available) Yes (see FAQ)
Swisscom Approved 342470, 347880 Evaluated according to ETSI TS 101 456 by KPMG under the auspices of the Swiss Accreditation Service; for more information see the Directory of the certified bodies conform[ing] to SR 943.032.1, ETSI TS 101.456 and ANSI X9.79 (PKI) Swisscom Root CA All Swisscom Root CA CRL; see the Swisscom download page for intermediate CA CRLs ("Liste der ungültig erklärten Zertifikate") TBD
SwissSign Pending 343756 TBD SwissSign Root CA (import page) All TBD TBD
T-Systems Pending 275583
  • To be supplied
  • To be supplied
Deutsche Telekom Root CA 1 All Deutsche Telekom Root CA 1 CRL Not supported
Deutsche Telekom Root CA 2 All Deutsche Telekom Root CA 2 CRL
TC TrustCenter Pending 179716 May be covered under the WebTrust audit for BeTrusted since being acquired; need confirmation TC TrustCenter Class 1 CA SSL TC TrustCenter Class 1 CRL Not supported (?)
TC TrustCenter Class 2 CA SSL TC TrustCenter Class 2 CRL
TC TrustCenter Class 3 CA SSL TC TrustCenter Class 3 CRL
TC TrustCenter Class 4 CA SSL TC TrustCenter Class 4 CRL
TDC Approved 204839, 271551
  • WebTrust audit report
  • Also audited under the auspices of the Danish National IT and Telecom Agency (reports not available online?)
TDC OCES CA All TDC OCES CRL Not yet supported
TDC Internet Root CA All TDC Internet Root CA CRL
Trustis Pending 324126 Trustis FPS Root CA All? Trustis FPS Root CA CRL TBD
Unizeto CERTUM CA Approved 167572, 242040 WebTrust for Certification Authorities Audit Report CERTUM root All Root CRL
(Certum Validation Service)
CERTUM Level I All Level I CRL
CERTUM Level II All Level II CRL
CERTUM Level IV All Level IV CRL
USERTrust Approved 242610, 271585 CAs acquired by Comodo, see Comodo audit information UTN-USERFirst-Client Authentication and Email S/MIME UTN-USERFirst-Client Authentication and Email CRL Not supported
UTN-USERFirst-Hardware SSL UTN-USERFirst-Hardware CRL
UTN-USERFirst-Object Object signing UTN-USERFirst-Object CRL
Wells Fargo Pending 342996 WebTrust audit report and management's assertions (audited by KPMG) Wells Fargo Root CA All Wells Fargo Root CA CRL TBD
XRamp Approved 273189, 274723 WebTrust audit report and management's assertions XRamp Global CA All XRamp Global CA CRL Not supported?

Version 0.45, August 8, 2006. Marked GeoTrusti and Swisscom as approved.

Version 0.44, August 4, 2006. Updated information for Geotrust.

Version 0.43, July 6, 2006. Added entry for SwissSign.

Version 0.42, July 5, 2006. Added entry for Trustis.

Version 0.41, July 5, 2006. Modified entry for Swisscom (added previously). Approved Firmaprofesional. Updated bug numbers for GRCA and StartCom.

Version 0.40, June 28, 2006. Added entry for Wells Fargo.

Version 0.39, June 22, 2006. Added entries for Firmaprofesional and KISA.

Version 0.38, June 9, 2006. Marked GRCA as approved, added entry for DigiNotar.

Version 0.37, June 7, 2006. Edited entry for GRCA, added entry for new GeoTrust CAs.

Version 0.36, May 24, 2006. Marked Startcom as approved. Added internal links for all entries.

Version 0.35, May 1, 2006. Updated entry for StartCom.

Version 0.34, March 22, 2006. Added WebTrust info for Quo Vadis.

Version 0.33, February 18, 2006. Correct newsgroup and mailing list names.

Version 0.32, January 25, 2006. Updated information for StartCom.

Version 0.31, August 15, 2005. Added entries for Digicert Sdn. Bhd. (Malaysia) (not to be confused with DigiCert Inc.), G-CA (Thailand), StartCom (Israel). Updated entries for DSV/S-TRUST, GRCA.

Version 0.30, May 26, 2005. Added entry for CAcert.

Version 0.29, April 12, 2005. Changed trust bits for various UTN CAs to match what was actually set.

Version 0.28, March 23, 2005. Approved Go Daddy.

Version 0.27, March 22, 2005. Added entries for Go Daddy and Certipost E-Trust.

Version 0.26, February 2, 2005. Approved NetLock.

Version 0.25, January 28, 2005. Added links to NetLock audit report.

Version 0.24, January 25, 2005. Added entry for NetLock.

Version 0.23, December 21, 2004. Approved Camerfirma, added entry for T-Systems.

Version 0.22, December 15, 2004. Approved XRamp, changed entry for Camerfirma to change trust bits and add OCSP information and CRLs for subordinate CAs.

Version 0.21, December 10, 2004. Added entries for ACCV, Camerfirma, GRCA, and XRamp.

Version 0.20, November 29, 2004. Added entry for SecureNet Certificates.

Version 0.19, November 24, 2004. Approved USERTrust, fixed URL for its CPS.

Version 0.18, November 24, 2004. Approved TDC.

Version 0.17, October 27, 2004. Updated documents and data for TDC OCES.

Version 0.16, October 20, 2004. Added USERTrust. Corrected information for DFN-PCA.

Version 0.15, September 28, 2004. Updated information for SECOM

Version 0.14, September 24, 2004. Marked QuoVadis, SECOM, Sonera, and Staat der Nederlanden as approved and added references to the appropriate bugs. Also added a CRL URL for Staat der Nederlanden.

Version 0.13, September 23, 2004. Updated Sonera Class 1 CA to mark as trusted only for identifiying S/MIME email users, and fixed HTML errors preventing validation as HTML 4.01 Strict.

Version 0.12, September 23, 2004. Marked Sonera Class 1 and 2 CAs as trusted for all purposes, fixed link for Sonera CRL.

Version 0.11, September 22, 2004. Added DFN-PCA, Sonera, and Staat der Nederlanden (The Netherlands).

Version 0.10, September 18, 2004. Really marked Comodo as approved, and added SECOM

Version 0.9, August 4, 2004. Marked Comodo as approved, and added Additional bugs for Comodo and ipsCA.

Version 0.8, July 16, 2004. Added CRLs for Comodo. Fixed odd/even marking of table rows.

Version 0.7, July 8, 2004. Added ESnet.

Version 0.6, July 3, 2004. Added Comodo Group.

Version 0.5, May 27, 2004. Marked ipsCA as approved.

Version 0.4, May 11, 2004. Added new entries for ipsCA and QuoVadis.

Version 0.3, May 9, 2004. Modified entry for Unizeto to add new bug, added new entries for TC TrustCenter and TDC, added status field.

Version 0.2, April 26, 2004. Added new columns for CRL, OCSP, and trust information, and changed format of table.

Version 0.1, April 16, 2004. Initial draft to test format.