aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKyle Evans <kevans@FreeBSD.org>2020-09-02 12:57:34 +0000
committerKyle Evans <kevans@FreeBSD.org>2020-09-02 12:57:34 +0000
commit8e0dc55e68e2222f703e2d0149d74278eb8ce532 (patch)
treec9e30a79fc0d94ebdd088c08aa26e7cdc753a518
parentd14897f960ed0bc4d65e67d7a40f10fd89651d16 (diff)
downloadsrc-8e0dc55e68e2222f703e2d0149d74278eb8ce532.tar.gz
src-8e0dc55e68e2222f703e2d0149d74278eb8ce532.zip
caroot: properly remove old distrusted roots
The proper procedure was not followed in r364943; all of these that were deleted should have instead been moved over to the blacklist so that certctl can DTRT. Users must still `certctl rehash` after this, but this should generally be done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note that freebsd-update doesn't come into play for this particular update, as these have not yet made it into a release. Future work (after svn -> git) will likely change the script that updatecert invokes to facilitate the process, rather than trusting that kevans or whomever updates in the future will remember. Reported by: Helge Oldach <freebsd oldach net> MFC after: 3 days
Notes
Notes: svn path=/head/; revision=365248
-rw-r--r--secure/caroot/blacklisted/AddTrust_External_Root.pem99
-rw-r--r--secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem98
-rw-r--r--secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem141
-rw-r--r--secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem137
-rw-r--r--secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem68
-rw-r--r--secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem68
-rw-r--r--secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem87
7 files changed, 698 insertions, 0 deletions
diff --git a/secure/caroot/blacklisted/AddTrust_External_Root.pem b/secure/caroot/blacklisted/AddTrust_External_Root.pem
new file mode 100644
index 000000000000..701bc7bce072
--- /dev/null
+++ b/secure/caroot/blacklisted/AddTrust_External_Root.pem
@@ -0,0 +1,99 @@
+##
+## AddTrust External Root
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## Extracted from nss
+## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
+ Validity
+ Not Before: May 30 10:48:38 2000 GMT
+ Not After : May 30 10:48:38 2020 GMT
+ Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
+ 1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
+ a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
+ cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
+ 2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
+ 56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
+ 5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
+ 87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
+ 71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
+ 69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
+ ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
+ 6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
+ 37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
+ 45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
+ c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
+ a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
+ b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
+ 5a:27
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
+ DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
+ serial:01
+
+ Signature Algorithm: sha1WithRSAEncryption
+ b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:
+ 84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:
+ 6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:
+ bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:
+ de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:
+ 14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:
+ 93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:
+ 63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
+ a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:
+ 45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:
+ 91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:
+ 8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:
+ 60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:
+ 0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:
+ 8f:4e:86:04
+SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem b/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
new file mode 100644
index 000000000000..0595db909a49
--- /dev/null
+++ b/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
@@ -0,0 +1,98 @@
+##
+## AddTrust Low-Value Services Root
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## Extracted from nss
+## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root
+ Validity
+ Not Before: May 30 10:38:31 2000 GMT
+ Not After : May 30 10:38:31 2020 GMT
+ Subject: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:96:96:d4:21:49:60:e2:6b:e8:41:07:0c:de:c4:
+ e0:dc:13:23:cd:c1:35:c7:fb:d6:4e:11:0a:67:5e:
+ f5:06:5b:6b:a5:08:3b:5b:29:16:3a:e7:87:b2:34:
+ 06:c5:bc:05:a5:03:7c:82:cb:29:10:ae:e1:88:81:
+ bd:d6:9e:d3:fe:2d:56:c1:15:ce:e3:26:9d:15:2e:
+ 10:fb:06:8f:30:04:de:a7:b4:63:b4:ff:b1:9c:ae:
+ 3c:af:77:b6:56:c5:b5:ab:a2:e9:69:3a:3d:0e:33:
+ 79:32:3f:70:82:92:99:61:6d:8d:30:08:8f:71:3f:
+ a6:48:57:19:f8:25:dc:4b:66:5c:a5:74:8f:98:ae:
+ c8:f9:c0:06:22:e7:ac:73:df:a5:2e:fb:52:dc:b1:
+ 15:65:20:fa:35:66:69:de:df:2c:f1:6e:bc:30:db:
+ 2c:24:12:db:eb:35:35:68:90:cb:00:b0:97:21:3d:
+ 74:21:23:65:34:2b:bb:78:59:a3:d6:e1:76:39:9a:
+ a4:49:8e:8c:74:af:6e:a4:9a:a3:d9:9b:d2:38:5c:
+ 9b:a2:18:cc:75:23:84:be:eb:e2:4d:33:71:8e:1a:
+ f0:c2:f8:c7:1d:a2:ad:03:97:2c:f8:cf:25:c6:f6:
+ b8:24:31:b1:63:5d:92:7f:63:f0:25:c9:53:2e:1f:
+ bf:4d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B
+ DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
+ serial:01
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 2c:6d:64:1b:1f:cd:0d:dd:b9:01:fa:96:63:34:32:48:47:99:
+ ae:97:ed:fd:72:16:a6:73:47:5a:f4:eb:dd:e9:f5:d6:fb:45:
+ cc:29:89:44:5d:bf:46:39:3d:e8:ee:bc:4d:54:86:1e:1d:6c:
+ e3:17:27:43:e1:89:56:2b:a9:6f:72:4e:49:33:e3:72:7c:2a:
+ 23:9a:bc:3e:ff:28:2a:ed:a3:ff:1c:23:ba:43:57:09:67:4d:
+ 4b:62:06:2d:f8:ff:6c:9d:60:1e:d8:1c:4b:7d:b5:31:2f:d9:
+ d0:7c:5d:f8:de:6b:83:18:78:37:57:2f:e8:33:07:67:df:1e:
+ c7:6b:2a:95:76:ae:8f:57:a3:f0:f4:52:b4:a9:53:08:cf:e0:
+ 4f:d3:7a:53:8b:fd:bb:1c:56:36:f2:fe:b2:b6:e5:76:bb:d5:
+ 22:65:a7:3f:fe:d1:66:ad:0b:bc:6b:99:86:ef:3f:7d:f3:18:
+ 32:ca:7b:c6:e3:ab:64:46:95:f8:26:69:d9:55:83:7b:2c:96:
+ 07:ff:59:2c:44:a3:c6:e5:e9:a9:dc:a1:63:80:5a:21:5e:21:
+ cf:53:54:f0:ba:6f:89:db:a8:aa:95:cf:8b:e3:71:cc:1e:1b:
+ 20:44:08:c0:7a:b6:40:fd:c4:e4:35:e1:1d:16:1c:d0:bc:2b:
+ 8e:d6:71:d9
+SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
+-----BEGIN CERTIFICATE-----
+MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3
+b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw
+MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML
+QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD
+VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul
+CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n
+tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl
+dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch
+PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC
++Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O
+BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl
+MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk
+ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB
+IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X
+7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz
+43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY
+eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl
+pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA
+WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem b/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
new file mode 100644
index 000000000000..9b1aa35e7037
--- /dev/null
+++ b/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
@@ -0,0 +1,141 @@
+##
+## LuxTrust Global Root 2
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## Extracted from nss
+## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = LU, O = LuxTrust S.A., CN = LuxTrust Global Root 2
+ Validity
+ Not Before: Mar 5 13:21:57 2015 GMT
+ Not After : Mar 5 13:21:57 2035 GMT
+ Subject: C = LU, O = LuxTrust S.A., CN = LuxTrust Global Root 2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (4096 bit)
+ Modulus:
+ 00:d7:85:97:bf:11:98:e9:f0:62:83:4c:3c:87:f9:
+ 53:6a:37:0b:f2:0f:3c:87:ce:6f:dc:26:29:bd:c5:
+ 89:ba:c9:83:3d:f7:ee:ca:5b:c6:6d:49:73:b4:c9:
+ 46:a3:1b:34:13:3f:c1:89:45:57:f4:d9:b1:fb:36:
+ 65:4b:fb:08:e2:48:71:11:c8:6e:3b:9e:9d:df:89:
+ 65:37:a6:85:f6:3b:44:18:b6:c6:37:30:62:44:92:
+ 97:69:7d:42:30:24:e4:0d:0c:89:6b:63:de:c5:e1:
+ df:4e:a9:14:6c:53:e0:61:ce:f6:17:2f:1d:3c:bd:
+ e6:22:4c:1d:93:f5:10:c4:a1:76:ec:6a:de:c5:6c:
+ df:96:b4:56:40:42:c0:62:92:30:a1:2d:15:94:a0:
+ d2:20:06:09:6e:6a:6d:e5:eb:b7:be:d4:f0:f1:15:
+ 7c:8b:e6:4e:ba:13:cc:4b:27:5e:99:3c:17:5d:8f:
+ 81:7f:33:3d:4f:d3:3f:1b:ec:5c:3f:f0:3c:4c:75:
+ 6e:f2:a6:d5:9d:da:2d:07:63:02:c6:72:e9:94:bc:
+ 4c:49:95:4f:88:52:c8:db:e8:69:82:f8:cc:34:5b:
+ 22:f0:86:a7:89:bd:48:0a:6d:66:81:6d:c8:c8:64:
+ fb:01:e1:f4:e1:de:d9:9e:dd:db:5b:d4:2a:99:26:
+ 15:1b:1e:4c:92:29:82:9e:d5:92:81:92:41:70:19:
+ f7:a4:e5:93:4b:bc:77:67:31:dd:1c:fd:31:70:0d:
+ 17:99:0c:f9:0c:39:19:2a:17:b5:30:71:55:d5:0f:
+ ae:58:e1:3d:2f:34:9b:cf:9f:f6:78:85:c2:93:7a:
+ 72:3e:66:8f:9c:16:11:60:8f:9e:89:6f:67:be:e0:
+ 47:5a:3b:0c:9a:67:8b:cf:46:c6:ae:38:a3:f2:a7:
+ bc:e6:d6:85:6b:33:24:70:22:4b:cb:08:9b:bb:c8:
+ f8:02:29:1d:be:20:0c:46:bf:6b:87:9b:b3:2a:66:
+ 42:35:46:6c:aa:ba:ad:f9:98:7b:e9:50:55:14:31:
+ bf:b1:da:2d:ed:80:ad:68:24:fb:69:ab:d8:71:13:
+ 30:e6:67:b3:87:40:fd:89:7e:f2:43:d1:11:df:2f:
+ 65:2f:64:ce:5f:14:b9:b1:bf:31:bd:87:78:5a:59:
+ 65:88:aa:fc:59:32:48:86:d6:4c:b9:29:4b:95:d3:
+ 76:f3:77:25:6d:42:1c:38:83:4d:fd:a3:5f:9b:7f:
+ 2d:ac:79:1b:0e:42:31:97:63:a4:fb:8a:69:d5:22:
+ 0d:34:90:30:2e:a8:b4:e0:6d:b6:94:ac:bc:8b:4e:
+ d7:70:fc:c5:38:8e:64:25:e1:4d:39:90:ce:c9:87:
+ 84:58:71
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Certificate Policies:
+ Policy: 1.3.171.1.1.1.10
+ CPS: https://repository.luxtrust.lu
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ keyid:FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3
+
+ X509v3 Subject Key Identifier:
+ FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3
+ Signature Algorithm: sha256WithRSAEncryption
+ 6a:19:14:ed:6e:79:c1:2c:87:d4:0d:70:7e:d7:f6:78:c9:0b:
+ 04:4e:c4:b1:ce:93:70:fe:b0:54:c0:32:cd:99:30:64:17:bf:
+ 0f:e5:e2:33:fd:07:36:40:72:0e:1a:b6:6a:59:d6:00:e5:68:
+ 20:dd:2e:72:0d:1f:6a:64:31:20:84:7d:49:a6:5a:37:eb:45:
+ c9:85:f5:d4:c7:17:99:07:e6:9b:55:e4:0c:e8:a9:b4:ce:8c:
+ 5b:b5:11:5c:cf:8a:0e:0d:d6:ac:77:81:fe:32:9c:24:9e:72:
+ ce:54:f3:d0:6f:a2:56:d6:ec:c3:37:2c:65:58:be:57:00:1a:
+ f2:35:fa:eb:7b:31:5d:c2:c1:12:3d:96:81:88:96:89:c1:59:
+ 5c:7a:e6:7f:70:34:e7:83:e2:b1:e1:e1:b8:58:ef:d4:95:e4:
+ 60:9c:f0:96:97:72:8c:eb:84:02:2e:65:8f:a4:b7:d2:7f:67:
+ dd:c8:d3:9e:5c:aa:a9:a4:a0:25:14:06:9b:ec:4f:7e:2d:0b:
+ 7f:1d:75:f1:33:d8:ed:ce:b8:75:6d:3e:5b:b9:98:1d:31:0d:
+ 56:d8:43:0f:30:91:b2:04:6b:dd:56:be:95:80:55:67:be:d8:
+ cd:83:d9:18:ee:2e:0f:86:2d:92:9e:70:13:ec:de:51:c9:43:
+ 78:02:a5:4d:c8:f9:5f:c4:91:58:46:16:77:5a:74:aa:40:bc:
+ 07:9f:30:b9:b1:f7:12:17:dd:e3:ff:24:40:1d:7a:6a:d1:4f:
+ 18:0a:aa:90:1d:eb:40:1e:df:a1:1e:44:92:10:9a:f2:8d:e1:
+ d1:4b:46:9e:e8:45:42:97:ea:45:99:f3:ec:66:d5:02:fa:f2:
+ a6:4a:24:aa:de:ce:b9:ca:f9:3f:93:6f:f9:a3:ba:ea:a5:3e:
+ 99:ad:fd:ff:7b:99:f5:65:ee:f0:59:28:67:d7:90:95:a4:13:
+ 84:a9:84:c1:e8:ce:ce:75:93:63:1a:bc:3c:ea:d5:64:1f:2d:
+ 2a:12:39:c6:c3:5a:32:ed:47:91:16:0e:bc:38:c1:50:de:8f:
+ ca:2a:90:34:1c:ee:41:94:9c:5e:19:2e:f8:45:49:99:74:91:
+ b0:04:6f:e3:04:5a:b1:ab:2a:ab:fe:c7:d0:96:b6:da:e1:4a:
+ 64:06:6e:60:4d:bd:42:4e:ff:78:da:24:ca:1b:b4:d7:96:39:
+ 6c:ae:f1:0e:aa:a7:7d:48:8b:20:4c:cf:64:d6:b8:97:46:b0:
+ 4e:d1:2a:56:3a:a0:93:bd:af:80:24:e0:0a:7e:e7:ca:d5:ca:
+ e8:85:55:dc:36:2a:e1:94:68:93:c7:66:72:44:0f:80:21:32:
+ 6c:25:c7:23:80:83:0a:eb
+SHA1 Fingerprint=1E:0E:56:19:0A:D1:8B:25:98:B2:04:44:FF:66:8A:04:17:99:5F:3F
+-----BEGIN CERTIFICATE-----
+MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQEL
+BQAwRjELMAkGA1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNV
+BAMMFkx1eFRydXN0IEdsb2JhbCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUw
+MzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEWMBQGA1UECgwNTHV4VHJ1c3QgUy5B
+LjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wmKb3F
+ibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTem
+hfY7RBi2xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1
+EMShduxq3sVs35a0VkBCwGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsn
+Xpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4
+zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkmFRseTJIpgp7VkoGSQXAZ
+96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niFwpN6cj5m
+j5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4g
+DEa/a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+
+8kPREd8vZS9kzl8UubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2j
+X5t/Lax5Gw5CMZdjpPuKadUiDTSQMC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmH
+hFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB/zBCBgNVHSAEOzA5MDcGByuB
+KwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5Lmx1eHRydXN0
+Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT
++Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQEL
+BQADggIBAGoZFO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9
+BzZAcg4atmpZ1gDlaCDdLnINH2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTO
+jFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW7MM3LGVYvlcAGvI1+ut7MV3CwRI9
+loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIuZY+kt9J/Z93I055c
+qqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWAVWe+
+2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/
+JEAdemrRTxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKre
+zrnK+T+Tb/mjuuqlPpmt/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQf
+LSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+
+x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31IiyBMz2TWuJdGsE7RKlY6
+oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr
+-----END CERTIFICATE-----
diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem b/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
new file mode 100644
index 000000000000..2f36eaed33af
--- /dev/null
+++ b/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
@@ -0,0 +1,137 @@
+##
+## Staat der Nederlanden Root CA - G2
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## Extracted from nss
+## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 10000012 (0x98968c)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2
+ Validity
+ Not Before: Mar 26 11:18:17 2008 GMT
+ Not After : Mar 25 11:03:10 2020 GMT
+ Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (4096 bit)
+ Modulus:
+ 00:c5:59:e7:6f:75:aa:3e:4b:9c:b5:b8:ac:9e:0b:
+ e4:f9:d9:ca:ab:5d:8f:b5:39:10:82:d7:af:51:e0:
+ 3b:e1:00:48:6a:cf:da:e1:06:43:11:99:aa:14:25:
+ 12:ad:22:e8:00:6d:43:c4:a9:b8:e5:1f:89:4b:67:
+ bd:61:48:ef:fd:d2:e0:60:88:e5:b9:18:60:28:c3:
+ 77:2b:ad:b0:37:aa:37:de:64:59:2a:46:57:e4:4b:
+ b9:f8:37:7c:d5:36:e7:80:c1:b6:f3:d4:67:9b:96:
+ e8:ce:d7:c6:0a:53:d0:6b:49:96:f3:a3:0b:05:77:
+ 48:f7:25:e5:70:ac:30:14:20:25:e3:7f:75:5a:e5:
+ 48:f8:4e:7b:03:07:04:fa:82:61:87:6e:f0:3b:c4:
+ a4:c7:d0:f5:74:3e:a5:5d:1a:08:f2:9b:25:d2:f6:
+ ac:04:26:3e:55:3a:62:28:a5:7b:b2:30:af:f8:37:
+ c2:d1:ba:d6:38:fd:f4:ef:49:30:37:99:26:21:48:
+ 85:01:a9:e5:16:e7:dc:90:55:df:0f:e8:38:cd:99:
+ 37:21:4f:5d:f5:22:6f:6a:c5:12:16:60:17:55:f2:
+ 65:66:a6:a7:30:91:38:c1:38:1d:86:04:84:ba:1a:
+ 25:78:5e:9d:af:cc:50:60:d6:13:87:52:ed:63:1f:
+ 6d:65:7d:c2:15:18:74:ca:e1:7e:64:29:8c:72:d8:
+ 16:13:7d:0b:49:4a:f1:28:1b:20:74:6b:c5:3d:dd:
+ b0:aa:48:09:3d:2e:82:94:cd:1a:65:d9:2b:88:9a:
+ 99:bc:18:7e:9f:ee:7d:66:7c:3e:bd:94:b8:81:ce:
+ cd:98:30:78:c1:6f:67:d0:be:5f:e0:68:ed:de:e2:
+ b1:c9:2c:59:78:92:aa:df:2b:60:63:f2:e5:5e:b9:
+ e3:ca:fa:7f:50:86:3e:a2:34:18:0c:09:68:28:11:
+ 1c:e4:e1:b9:5c:3e:47:ba:32:3f:18:cc:5b:84:f5:
+ f3:6b:74:c4:72:74:e1:e3:8b:a0:4a:bd:8d:66:2f:
+ ea:ad:35:da:20:d3:88:82:61:f0:12:22:b6:bc:d0:
+ d5:a4:ec:af:54:88:25:24:3c:a7:6d:b1:72:29:3f:
+ 3e:57:a6:7f:55:af:6e:26:c6:fe:e7:cc:40:5c:51:
+ 44:81:0a:78:de:4a:ce:55:bf:1d:d5:d9:b7:56:ef:
+ f0:76:ff:0b:79:b5:af:bd:fb:a9:69:91:46:97:68:
+ 80:14:36:1d:b3:7f:bb:29:98:36:a5:20:fa:82:60:
+ 62:33:a4:ec:d6:ba:07:a7:6e:c5:cf:14:a6:e7:d6:
+ 92:34:d8:81:f5:fc:1d:5d:aa:5c:1e:f6:a3:4d:3b:
+ b8:f7:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Certificate Policies:
+ Policy: X509v3 Any Policy
+ CPS: http://www.pkioverheid.nl/policies/root-policy-G2
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ 91:68:32:87:15:1D:89:E2:B5:F1:AC:36:28:34:8D:0B:7C:62:88:EB
+ Signature Algorithm: sha256WithRSAEncryption
+ a8:41:4a:67:2a:92:81:82:50:6e:e1:d7:d8:b3:39:3b:f3:02:
+ 15:09:50:51:ef:2d:bd:24:7b:88:86:3b:f9:b4:bc:92:09:96:
+ b9:f6:c0:ab:23:60:06:79:8c:11:4e:51:d2:79:80:33:fb:9d:
+ 48:be:ec:41:43:81:1f:7e:47:40:1c:e5:7a:08:ca:aa:8b:75:
+ ad:14:c4:c2:e8:66:3c:82:07:a7:e6:27:82:5b:18:e6:0f:6e:
+ d9:50:3e:8a:42:18:29:c6:b4:56:fc:56:10:a0:05:17:bd:0c:
+ 23:7f:f4:93:ed:9c:1a:51:be:dd:45:41:bf:91:24:b4:1f:8c:
+ e9:5f:cf:7b:21:99:9f:95:9f:39:3a:46:1c:6c:f9:cd:7b:9c:
+ 90:cd:28:a9:c7:a9:55:bb:ac:62:34:62:35:13:4b:14:3a:55:
+ 83:b9:86:8d:92:a6:c6:f4:07:25:54:cc:16:57:12:4a:82:78:
+ c8:14:d9:17:82:26:2d:5d:20:1f:79:ae:fe:d4:70:16:16:95:
+ 83:d8:35:39:ff:52:5d:75:1c:16:c5:13:55:cf:47:cc:75:65:
+ 52:4a:de:f0:b0:a7:e4:0a:96:0b:fb:ad:c2:e2:25:84:b2:dd:
+ e4:bd:7e:59:6c:9b:f0:f0:d8:e7:ca:f2:e9:97:38:7e:89:be:
+ cc:fb:39:17:61:3f:72:db:3a:91:d8:65:01:19:1d:ad:50:a4:
+ 57:0a:7c:4b:bc:9c:71:73:2a:45:51:19:85:cc:8e:fd:47:a7:
+ 74:95:1d:a8:d1:af:4e:17:b1:69:26:c2:aa:78:57:5b:c5:4d:
+ a7:e5:9e:05:17:94:ca:b2:5f:a0:49:18:8d:34:e9:26:6c:48:
+ 1e:aa:68:92:05:e1:82:73:5a:9b:dc:07:5b:08:6d:7d:9d:d7:
+ 8d:21:d9:fc:14:20:aa:c2:45:df:3f:e7:00:b2:51:e4:c2:f8:
+ 05:b9:79:1a:8c:34:f3:9e:5b:e4:37:5b:6b:4a:df:2c:57:8a:
+ 40:5a:36:ba:dd:75:44:08:37:42:70:0c:fe:dc:5e:21:a0:a3:
+ 8a:c0:90:9c:68:da:50:e6:45:10:47:78:b6:4e:d2:65:c9:c3:
+ 37:df:e1:42:63:b0:57:37:45:2d:7b:8a:9c:bf:05:ea:65:55:
+ 33:f7:39:10:c5:28:2a:21:7a:1b:8a:c4:24:f9:3f:15:c8:9a:
+ 15:20:f5:55:62:96:ed:6d:93:50:bc:e4:aa:78:ad:d9:cb:0a:
+ 65:87:a6:66:c1:c4:81:a3:77:3a:58:1e:0b:ee:83:8b:9d:1e:
+ d2:52:a4:cc:1d:6f:b0:98:6d:94:31:b5:f8:71:0a:dc:b9:fc:
+ 7d:32:60:e6:eb:af:8a:01
+SHA1 Fingerprint=59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16
+-----BEGIN CERTIFICATE-----
+MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO
+TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh
+dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX
+DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl
+ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv
+b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291
+qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp
+uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU
+Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE
+pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp
+5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M
+UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN
+GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy
+5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv
+6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK
+eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6
+B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/
+BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov
+L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG
+SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS
+CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen
+5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897
+IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK
+gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL
++63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL
+vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm
+bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk
+N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC
+Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z
+ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ==
+-----END CERTIFICATE-----
diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
new file mode 100644
index 000000000000..ffac924e93ac
--- /dev/null
+++ b/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
@@ -0,0 +1,68 @@
+##
+## Symantec Class 1 Public Primary Certification Authority - G4
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## Extracted from nss
+## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
+ Signature Algorithm: ecdsa-with-SHA384
+ Issuer: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 1 Public Primary Certification Authority - G4
+ Validity
+ Not Before: Oct 5 00:00:00 2011 GMT
+ Not After : Jan 18 23:59:59 2038 GMT
+ Subject: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 1 Public Primary Certification Authority - G4
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:d7:66:b5:1b:db:ae:b3:60:ee:46:ea:88:63:75:
+ 3b:2a:94:6d:f3:5f:12:f6:e3:0f:9e:b6:0a:14:53:
+ 48:52:c8:dc:3a:b3:cb:48:20:26:12:4e:fa:89:84:
+ d4:df:91:e4:29:7d:28:01:d9:db:18:43:69:a1:1f:
+ b5:d3:86:16:dc:c7:7f:67:23:df:df:31:31:83:03:
+ 35:70:b1:4b:b7:c8:17:bb:51:cb:dc:94:17:db:ea:
+ 09:3b:76:12:de:aa:b5
+ ASN1 OID: secp384r1
+ NIST CURVE: P-384
+ X509v3 extensions:
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 65:C0:8D:25:F5:0C:BA:97:77:90:3F:9E:2E:E0:5A:F5:CE:D5:E1:E4
+ Signature Algorithm: ecdsa-with-SHA384
+ 30:66:02:31:00:a5:ae:e3:46:53:f8:98:36:e3:22:fa:2e:28:
+ 49:0d:ee:30:7e:33:f3:ec:3f:71:5e:cc:55:89:78:99:ac:b2:
+ fd:dc:1c:5c:33:8e:29:b9:6b:17:c8:11:68:b5:dc:83:07:02:
+ 31:00:9c:c8:44:da:69:c2:36:c3:54:19:10:85:02:da:9d:47:
+ ef:41:e7:6c:26:9d:09:3d:f7:6d:90:d1:05:44:2f:b0:bc:83:
+ 93:68:f2:0c:45:49:39:bf:99:04:1c:d3:10:a0
+SHA1 Fingerprint=84:F2:E3:DD:83:13:3E:A9:1D:19:52:7F:02:D7:29:BF:C1:5F:E6:67
+-----BEGIN CERTIFICATE-----
+MIICqDCCAi2gAwIBAgIQIW4zpcvTiKRvKQe0JzzE2DAKBggqhkjOPQQDAzCBlDEL
+MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
+VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBD
+bGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g
+RzQwHhcNMTExMDA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBlDELMAkGA1UEBhMC
+VVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1h
+bnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBDbGFzcyAxIFB1
+YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATXZrUb266zYO5G6ohjdTsqlG3zXxL24w+etgoUU0hS
+yNw6s8tIICYSTvqJhNTfkeQpfSgB2dsYQ2mhH7XThhbcx39nI9/fMTGDAzVwsUu3
+yBe7UcvclBfb6gk7dhLeqrWjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRlwI0l9Qy6l3eQP54u4Fr1ztXh5DAKBggqhkjOPQQD
+AwNpADBmAjEApa7jRlP4mDbjIvouKEkN7jB+M/PsP3FezFWJeJmssv3cHFwzjim5
+axfIEWi13IMHAjEAnMhE2mnCNsNUGRCFAtqdR+9B52wmnQk9922Q0QVEL7C8g5No
+8gxFSTm/mQQc0xCg
+-----END CERTIFICATE-----
diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
new file mode 100644
index 000000000000..97c6caf2b862
--- /dev/null
+++ b/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
@@ -0,0 +1,68 @@
+##
+## Symantec Class 2 Public Primary Certification Authority - G4
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## Extracted from nss
+## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
+ Signature Algorithm: ecdsa-with-SHA384
+ Issuer: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 2 Public Primary Certification Authority - G4
+ Validity
+ Not Before: Oct 5 00:00:00 2011 GMT
+ Not After : Jan 18 23:59:59 2038 GMT
+ Subject: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 2 Public Primary Certification Authority - G4
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:d1:d9:4a:8e:4c:0d:84:4a:51:ba:7c:ef:d3:cc:
+ fa:3a:9a:b5:a7:63:13:3d:01:e0:49:3e:fa:c1:47:
+ c9:92:b3:3a:d7:fe:6f:9c:f7:9a:3a:0f:f5:0e:0a:
+ 0a:c3:3f:c8:e7:12:14:8e:d5:d5:6d:98:2c:b3:71:
+ 32:0a:eb:2a:bd:f6:d7:6a:20:0b:67:45:9c:d2:b2:
+ bf:53:22:66:09:5d:db:11:f3:f1:05:33:58:a3:e2:
+ b8:cf:7c:cd:82:9b:bd
+ ASN1 OID: secp384r1
+ NIST CURVE: P-384
+ X509v3 extensions:
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 3D:32:F3:3A:A9:0C:90:84:F9:A2:8C:69:06:61:54:2F:87:72:FE:05
+ Signature Algorithm: ecdsa-with-SHA384
+ 30:66:02:31:00:c8:a6:a9:af:41:7f:b5:c9:11:42:16:68:69:
+ 4c:5c:b8:27:18:b6:98:f1:c0:7f:90:6d:87:d3:8c:46:17:f0:
+ 3e:4f:fc:ea:b0:08:c4:7a:4b:bc:08:2f:c7:e2:a7:6f:65:02:
+ 31:00:d6:59:de:86:ce:5f:0e:ca:54:d5:c6:d0:15:0e:fc:8b:
+ 94:72:d4:8e:00:58:53:cf:7e:b1:4b:0d:e5:50:86:eb:9e:6b:
+ df:ff:29:a6:d8:47:d9:a0:96:18:db:f2:45:b3
+SHA1 Fingerprint=67:24:90:2E:48:01:B0:22:96:40:10:46:B4:B1:67:2C:A9:75:FD:2B
+-----BEGIN CERTIFICATE-----
+MIICqDCCAi2gAwIBAgIQNBdlEkA7t1aALYDLeVWmHjAKBggqhkjOPQQDAzCBlDEL
+MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
+VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBD
+bGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g
+RzQwHhcNMTExMDA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBlDELMAkGA1UEBhMC
+VVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1h
+bnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBDbGFzcyAyIFB1
+YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATR2UqOTA2ESlG6fO/TzPo6mrWnYxM9AeBJPvrBR8mS
+szrX/m+c95o6D/UOCgrDP8jnEhSO1dVtmCyzcTIK6yq99tdqIAtnRZzSsr9TImYJ
+XdsR8/EFM1ij4rjPfM2Cm72jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBQ9MvM6qQyQhPmijGkGYVQvh3L+BTAKBggqhkjOPQQD
+AwNpADBmAjEAyKapr0F/tckRQhZoaUxcuCcYtpjxwH+QbYfTjEYX8D5P/OqwCMR6
+S7wIL8fip29lAjEA1lnehs5fDspU1cbQFQ78i5Ry1I4AWFPPfrFLDeVQhuuea9//
+KabYR9mglhjb8kWz
+-----END CERTIFICATE-----
diff --git a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
new file mode 100644
index 000000000000..823fcd0b4e9d
--- /dev/null
+++ b/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
@@ -0,0 +1,87 @@
+##
+## Verisign Class 3 Public Primary Certification Authority - G3
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## Extracted from nss
+## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 1 (0x0)
+ Serial Number:
+ 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
+ Validity
+ Not Before: Oct 1 00:00:00 1999 GMT
+ Not After : Jul 16 23:59:59 2036 GMT
+ Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:cb:ba:9c:52:fc:78:1f:1a:1e:6f:1b:37:73:bd:
+ f8:c9:6b:94:12:30:4f:f0:36:47:f5:d0:91:0a:f5:
+ 17:c8:a5:61:c1:16:40:4d:fb:8a:61:90:e5:76:20:
+ c1:11:06:7d:ab:2c:6e:a6:f5:11:41:8e:fa:2d:ad:
+ 2a:61:59:a4:67:26:4c:d0:e8:bc:52:5b:70:20:04:
+ 58:d1:7a:c9:a4:69:bc:83:17:64:ad:05:8b:bc:d0:
+ 58:ce:8d:8c:f5:eb:f0:42:49:0b:9d:97:27:67:32:
+ 6e:e1:ae:93:15:1c:70:bc:20:4d:2f:18:de:92:88:
+ e8:6c:85:57:11:1a:e9:7e:e3:26:11:54:a2:45:96:
+ 55:83:ca:30:89:e8:dc:d8:a3:ed:2a:80:3f:7f:79:
+ 65:57:3e:15:20:66:08:2f:95:93:bf:aa:47:2f:a8:
+ 46:97:f0:12:e2:fe:c2:0a:2b:51:e6:76:e6:b7:46:
+ b7:e2:0d:a6:cc:a8:c3:4c:59:55:89:e6:e8:53:5c:
+ 1c:ea:9d:f0:62:16:0b:a7:c9:5f:0c:f0:de:c2:76:
+ ce:af:f7:6a:f2:fa:41:a6:a2:33:14:c9:e5:7a:63:
+ d3:9e:62:37:d5:85:65:9e:0e:e6:53:24:74:1b:5e:
+ 1d:12:53:5b:c7:2c:e7:83:49:3b:15:ae:8a:68:b9:
+ 57:97
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 11:14:96:c1:ab:92:08:f7:3f:2f:c9:b2:fe:e4:5a:9f:64:de:
+ db:21:4f:86:99:34:76:36:57:dd:d0:15:2f:c5:ad:7f:15:1f:
+ 37:62:73:3e:d4:e7:5f:ce:17:03:db:35:fa:2b:db:ae:60:09:
+ 5f:1e:5f:8f:6e:bb:0b:3d:ea:5a:13:1e:0c:60:6f:b5:c0:b5:
+ 23:22:2e:07:0b:cb:a9:74:cb:47:bb:1d:c1:d7:a5:6b:cc:2f:
+ d2:42:fd:49:dd:a7:89:cf:53:ba:da:00:5a:28:bf:82:df:f8:
+ ba:13:1d:50:86:82:fd:8e:30:8f:29:46:b0:1e:3d:35:da:38:
+ 62:16:18:4a:ad:e6:b6:51:6c:de:af:62:eb:01:d0:1e:24:fe:
+ 7a:8f:12:1a:12:68:b8:fb:66:99:14:14:45:5c:ae:e7:ae:69:
+ 17:81:2b:5a:37:c9:5e:2a:f4:c6:e2:a1:5c:54:9b:a6:54:00:
+ cf:f0:f1:c1:c7:98:30:1a:3b:36:16:db:a3:6e:ea:fd:ad:b2:
+ c2:da:ef:02:47:13:8a:c0:f1:b3:31:ad:4f:1c:e1:4f:9c:af:
+ 0f:0c:9d:f7:78:0d:d8:f4:35:56:80:da:b7:6d:17:8f:9d:1e:
+ 81:64:e1:fe:c5:45:ba:ad:6b:b9:0a:7a:4e:4f:4b:84:ee:4b:
+ f1:7d:dd:11
+SHA1 Fingerprint=13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
+cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
+LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
+aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
+aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
+bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
+IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b
+N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t
+KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu
+kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm
+CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ
+Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu
+imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te
+2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe
+DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC
+/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p
+F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt
+TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ==
+-----END CERTIFICATE-----