1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
|
ca-certificates (20230311-0.0~progress6.99u1) fuchur-backports; urgency=medium
* Initial reupload to fuchur-backports.
* Updating maintainer field.
* Updating uploaders field.
* Updating bugs field.
* Updating vcs fields.
* Updating source format.
-- Daniel Baumann <daniel.baumann@progress-linux.org> Sun, 28 Apr 2024 11:16:02 +0200
ca-certificates (20230311) unstable; urgency=medium
[ Đoàn Trần Công Danh ]
* ca-certificates: compat with non-GNU mktemp (closes: #1000847)
[ Ilya Lipnitskiy ]
* certdata2pem.py: use UTC time when checking cert validity
[ Julien Cristau ]
* Update Mozilla certificate authority bundle to version 2.60
The following certificate authorities were added (+):
+ "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+ "Certainly Root E1"
+ "Certainly Root R1"
+ "D-TRUST BR Root CA 1 2020"
+ "D-TRUST EV Root CA 1 2020"
+ "DigiCert TLS ECC P384 Root G5"
+ "DigiCert TLS RSA4096 Root G5"
+ "E-Tugra Global Root CA ECC v3"
+ "E-Tugra Global Root CA RSA v3"
+ "HARICA TLS ECC Root CA 2021"
+ "HARICA TLS RSA Root CA 2021"
+ "HiPKI Root CA - G1"
+ "ISRG Root X2"
+ "Security Communication ECC RootCA1"
+ "Security Communication RootCA3"
+ "Telia Root CA v2"
+ "TunTrust Root CA"
+ "vTrus ECC Root CA"
+ "vTrus Root CA"
The following certificate authorities were removed (-):
- "Cybertrust Global Root" (expired)
- "EC-ACC"
- "GlobalSign Root CA - R2" (expired)
- "Hellenic Academic and Research Institutions RootCA 2011"
- "Network Solutions Certificate Authority"
- "Staat der Nederlanden EV Root CA" (expired)
* Drop trailing space from debconf template causing misformatting
(closes: #980821)
[ Wataru Ashihara ]
* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)
-- Julien Cristau <jcristau@debian.org> Sat, 11 Mar 2023 09:47:05 +0100
ca-certificates (20211016) unstable; urgency=low
[ Michael Shuler ]
* Fix error on install when TEMPBUNDLE missing. Closes: #996005
-- Julien Cristau <jcristau@debian.org> Sat, 16 Oct 2021 18:09:43 +0200
ca-certificates (20211004) unstable; urgency=low
[ Debian Janitor ]
* Fix day-of-week for changelog entry 20090624.
[ Julien Cristau ]
* Create temporary ca-certificates.crt on the same file system.
Closes: #923784
* Don't remove ca-certificates.crt before updating it, so it doesn't
go missing for a short while (closes: #920348). Thanks, Dimitris
Aragiorgis!
* Bump package priority from optional to standard.
* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
bundle to version 2.50
The following certificate authorities were added (+):
+ "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
+ "GlobalSign Root R46"
+ "GlobalSign Root E46"
+ "GLOBALTRUST 2020"
+ "ANF Secure Server Root CA"
+ "Certum EC-384 CA"
+ "Certum Trusted Root CA"
The following certificate authorities were removed (-):
- "QuoVadis Root CA"
- "Sonera Class 2 Root CA"
- "GeoTrust Primary Certification Authority - G2"
- "VeriSign Universal Root Certification Authority"
- "Chambers of Commerce Root - 2008"
- "Global Chambersign Root - 2008"
- "Trustis FPS Root CA"
- "Staat der Nederlanden Root CA - G3"
* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
* mozilla/certdata2pem.py: print a warning for expired certificates.
-- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200
ca-certificates (20210119) unstable; urgency=medium
[ Julien Cristau ]
* New maintainer (closes: #976406)
* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
bundle to version 2.46.
The following certificate authorities were added (+):
+ "certSIGN ROOT CA G2"
+ "e-Szigno Root CA 2017"
+ "Microsoft ECC Root Certificate Authority 2017"
+ "Microsoft RSA Root Certificate Authority 2017"
+ "NAVER Global Root Certification Authority"
+ "Trustwave Global Certification Authority"
+ "Trustwave Global ECC P256 Certification Authority"
+ "Trustwave Global ECC P384 Certification Authority"
The following certificate authorities were removed (-):
- "EE Certification Centre Root CA"
- "GeoTrust Universal CA 2"
- "LuxTrust Global Root 2"
- "OISTE WISeKey Global Root GA CA"
- "Staat der Nederlanden Root CA - G2" (closes: #962079)
- "Taiwan GRCA"
- "Verisign Class 3 Public Primary Certification Authority - G3"
[ Michael Shuler ]
* mozilla/blacklist:
Revert Symantec CA blacklist (#911289). Closes: #962596
The following root certificates were added back (+):
+ "GeoTrust Primary Certification Authority - G2"
+ "VeriSign Universal Root Certification Authority"
[ Gianfranco Costamagna ]
* debian/{rules,control}:
Merge Ubuntu patch from Matthias Klose to use Python3 during build.
Closes: #942915
-- Julien Cristau <jcristau@debian.org> Tue, 19 Jan 2021 11:11:04 +0100
ca-certificates (20200601) unstable; urgency=medium
* debian/control:
Set Standards-Version: 4.5.0.2
Set Build-Depends: debhelper-compat (= 13)
* debian/copyright:
Replace tabs in license text
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.40.
Closes: #956411, #955038
* mozilla/blacklist.txt
Add distrusted Symantec CA list to blacklist for explicit removal.
Closes: #911289
Blacklist expired root certificate, "AddTrust External Root"
Closes: #961907
The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"
The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"
-- Michael Shuler <michael@pbandjelly.org> Mon, 01 Jun 2020 11:45:49 -0500
ca-certificates (20190110) unstable; urgency=high
* debian/control:
Depend on openssl (>= 1.1.1).
Set Standards-Version: 4.3.0.1.
Set Build-Depends: debhelper-compat (= 12); drop d/compat
Remove trailing whitespace from d/changelog.
* debian/ca-certificates.postinst:
Fix permissions on /usr/local/share/ca-certificates when using symlinks.
Closes: #916833
* sbin/update-ca-certificates:
Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl
rehash` from exiting with an error. Closes: #895482, #895473
This will also fix removal of user CA certificates from /usr/local without
needing to run --fresh. Closes: #911303
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.28.
The following certificate authorities were added (+):
+ "GlobalSign Root CA - R6"
+ "OISTE WISeKey Global Root GC CA"
The following certificate authorities were removed (-):
- "Certplus Root CA G1"
- "Certplus Root CA G2"
- "OpenTrust Root CA G1"
- "OpenTrust Root CA G2"
- "OpenTrust Root CA G3"
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
- "Visa eCommerce Root"
-- Michael Shuler <michael@pbandjelly.org> Thu, 10 Jan 2019 19:31:31 -0600
ca-certificates (20180409) unstable; urgency=medium
[ Michael Shuler ]
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.22.
The following certificate authorities were added (+):
+ "GDCA TrustAUTH R5 ROOT"
+ "SSL.com EV Root Certification Authority ECC"
+ "SSL.com EV Root Certification Authority RSA R2"
+ "SSL.com Root Certification Authority ECC"
+ "SSL.com Root Certification Authority RSA"
+ "TrustCor ECA-1"
+ "TrustCor RootCert CA-1"
+ "TrustCor RootCert CA-2"
The following certificate authorities were removed (-):
- "ACEDICOM Root"
- "AddTrust Low-Value Services Root"
- "AddTrust Public Services Root"
- "AddTrust Qualified Certificates Root"
- "CA Disig Root R1"
- "CNNIC ROOT"
- "Camerfirma Chambers of Commerce Root"
- "Camerfirma Global Chambersign Root"
- "Certinomis - Autorité Racine"
- "Certum Root CA"
- "China Internet Network Information Center EV Certificates Root"
- "Comodo Secure Services root"
- "Comodo Trusted Services root"
- "DST ACES CA X6"
- "GeoTrust Global CA 2"
- "PSCProcert"
- "Security Communication EV RootCA1"
- "Swisscom Root CA 1"
- "Swisscom Root CA 2"
- "Swisscom Root EV CA 2"
- "TURKTRUST Certificate Services Provider Root 2007"
- "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- "UTN USERFirst Hardware Root CA"
* mozilla/blacklist.txt
Update blacklist to remove certificates no longer in certdata.txt and
explicitly ignore distrusted certificates.
* debian/copyright:
Fix lintian insecure-copyright-format-uri with https URL.
* debian/changelog:
Fix lintian file-contains-trailing-whitespace.
* debian/{compat,control}:
Set to debhelper compat 11.
* Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
usage of `c_rehash` script. Closes: #895075
[ Thijs Kinkhorst ]
* Remove Christian Perrier from uploaders at his request (closes: #894070).
* Checked for policy 4.1.4, no changes.
-- Michael Shuler <michael@pbandjelly.org> Mon, 09 Apr 2018 18:43:49 -0500
ca-certificates (20170717) unstable; urgency=medium
* Update to Standards-Version: 4.0.1
* debian/ca-certificates.postinst:
Prevent postinst failure on read-only /usr/local. Closes: #843722
* mozilla/certdata2pem.py:
Remove email-only roots from mozilla trust store. Closes: #721976
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.14.
Closes: #858064
The following certificate authorities were added (+):
+ "AC RAIZ FNMT-RCM"
+ "Amazon Root CA 1"
+ "Amazon Root CA 2"
+ "Amazon Root CA 3"
+ "Amazon Root CA 4"
+ "D-TRUST Root CA 3 2013"
+ "LuxTrust Global Root 2"
+ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
The following certificate authorities were removed (-):
- "AC Raiz Certicamara S.A."
- "ApplicationCA - Japanese Government"
- "Buypass Class 2 CA 1"
- "ComSign CA"
- "EBG Elektronik Sertifika Hizmet Saglayicisi"
- "Equifax Secure CA"
- "Equifax Secure eBusiness CA 1"
- "Equifax Secure Global eBusiness CA"
- "IGC/A"
- "Juur-SK"
- "Microsec e-Szigno Root CA"
- "Root CA Generalitat Valenciana"
- "RSA Security 2048 v3"
- "S-TRUST Authentication and Encryption Root CA 2005 PN"
- "S-TRUST Universal Root CA"
- "SwissSign Platinum CA - G2"
- "TC TrustCenter Class 3 CA II"
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
- "UTN USERFirst Email Root CA"
- "Verisign Class 1 Public Primary Certification Authority"
- "Verisign Class 1 Public Primary Certification Authority - G3"
- "Verisign Class 2 Public Primary Certification Authority - G2"
- "Verisign Class 2 Public Primary Certification Authority - G3"
- "Verisign Class 3 Public Primary Certification Authority"
- "WellsSecure Public Root Certificate Authority"
-- Michael Shuler <michael@pbandjelly.org> Thu, 20 Jul 2017 00:18:08 -0500
ca-certificates (20161130+nmu1) unstable; urgency=medium
* Non-maintainer upload.
* Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
now untrusted by the major browser vendors. Closes: #858539
-- Chris Lamb <lamby@debian.org> Fri, 19 May 2017 16:53:16 +0200
ca-certificates (20161130) unstable; urgency=medium
[ Philipp Kern ]
* Add ca-certificates udeb package. Closes: #845456
[ Michael Shuler ]
* debian/{compat,control}:
Update to compat level 10 and debhelper (>= 10)
Shorten package description.
* debian/po/id.po
Update Indonesian debconf translation file for build time line reorder
-- Michael Shuler <michael@pbandjelly.org> Wed, 30 Nov 2016 21:20:53 -0600
ca-certificates (20161102) unstable; urgency=medium
[ Michael Shuler ]
* debian/control:
Update to Standards-Version: 3.9.8
Update to Vcs-Browser/Vcs-Git: https URLs
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.9.
Thanks for the initial 2.7 patch, Jonathan Wiltshire. Closes: #828845
The following certificate authorities were added (+):
+ "Certplus Root CA G1"
+ "Certplus Root CA G2"
+ "Certum Trusted Network CA 2"
+ "Hellenic Academic and Research Institutions ECC RootCA 2015"
+ "Hellenic Academic and Research Institutions RootCA 2015"
+ "ISRG Root X1"
+ "OpenTrust Root CA G1"
+ "OpenTrust Root CA G2"
+ "OpenTrust Root CA G3"
+ "SZAFIR ROOT CA2"
The following certificate authorities were removed (-):
- "CA Disig"
- "NetLock Business (Class B) Root"
- "NetLock Express (Class C) Root"
- "NetLock Notary (Class A) Root"
- "NetLock Qualified (Class QA) Root"
- "Sonera Class 1 Root CA"
- "Staat der Nederlanden Root CA"
- "Verisign Class 1 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"
- "Verisign Class 3 Public Primary Certification Authority - G2"
[ Andreas Beckmann ]
* debian/postinst:
Run update-certificates without hooks to initially populate
/etc/ssl/certs. (The hooks are deferred to the noawait trigger.)
Closes: #825730
[ Izharul Haq ]
* debian/po/id.po:
Add Indonesian debconf translation. Thank you, Izharul! Closes: #835156
-- Michael Shuler <michael@pbandjelly.org> Wed, 02 Nov 2016 21:15:03 -0500
ca-certificates (20160104) unstable; urgency=medium
* debian/rules:
Sort certificate list for reproducible builds. Closes: #808711
* mozilla/certdata2pem.py:
Drop old CK*_NETSCAPE trust flag checks
-- Michael Shuler <michael@pbandjelly.org> Mon, 04 Jan 2016 11:08:26 -0600
ca-certificates (20151214) unstable; urgency=medium
* Removed SPI CA. Closes: #796208
* debian/{compat,control}:
Updated d/compat to version 9 and updated Build-Depends.
* debian/postinst:
Handle /usr/local/share/ca-certificates permissions and ownership on
upgrade. Closes: #611501
* mozilla/certdata2pem.py:
Add Python 3 support to ca-certificates.
Thanks to Andrew Wilcox and Richard Ipsum for the patch! Closes: #789753
* sbin/update-ca-certificates:
Update local certificates directory when calling --fresh.
Thanks for the patch, Daniel Lutz! Closes: #783615
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.6.
The following certificate authorities were added (+):
+ "CA WoSign ECC Root"
+ "Certification Authority of WoSign G2"
+ "Certinomis - Root CA"
+ "OISTE WISeKey Global Root GB CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
The following certificate authorities were removed (-):
- "A-Trust-nQual-03"
- "Buypass Class 3 CA 1"
- "ComSign Secured CA"
- "Digital Signature Trust Co. Global CA 1"
- "Digital Signature Trust Co. Global CA 3"
- "SG TRUST SERVICES RACINE"
- "TC TrustCenter Class 2 CA II"
- "TC TrustCenter Universal CA I"
- "TURKTRUST Certificate Services Provider Root 1"
- "TURKTRUST Certificate Services Provider Root 2"
- "UTN DATACorp SGC Root CA"
- "Verisign Class 4 Public Primary Certification Authority - G3"
-- Michael Shuler <michael@pbandjelly.org> Mon, 14 Dec 2015 18:51:50 -0600
ca-certificates (20150426) unstable; urgency=medium
* debian/postinst:
Set mode and group of /usr/local/share/ca-certificates based on current
/usr/local permissions and ownership. Closes: #611501
* sbin/update-ca-certificates:
Allow customisation of the paths used by update-ca-certificates.
Add an option to set the certs in a directory to the defaults.
Thanks for the patches, Paul Wise. Closes: #774059, #774201
Fix shellcheck warnings and a little indentation.
* sbin/update-ca-certificates.8:
Correct concatenated file name in man page from certificates.crt to
ca-certificates.crt. Closes: #782230
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.4.
The following certificate authorities were added (+):
+ "CFCA EV ROOT"
+ "COMODO RSA Certification Authority"
+ "Entrust Root Certification Authority - EC1"
+ "Entrust Root Certification Authority - G2"
+ "GlobalSign ECC Root CA - R4"
+ "GlobalSign ECC Root CA - R5"
+ "IdenTrust Commercial Root CA 1"
+ "IdenTrust Public Sector Root CA 1"
+ "S-TRUST Universal Root CA"
+ "Staat der Nederlanden EV Root CA"
+ "Staat der Nederlanden Root CA - G3"
+ "USERTrust ECC Certification Authority"
+ "USERTrust RSA Certification Authority" Closes: #762709
The following certificate authorities were removed (-):
- "America Online Root Certification Authority 1"
- "America Online Root Certification Authority 2"
- "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
- "GTE CyberTrust Global Root"
- "Thawte Premium Server CA"
- "Thawte Server CA"
-- Michael Shuler <michael@pbandjelly.org> Sun, 26 Apr 2015 10:37:48 -0500
ca-certificates (20141019) unstable; urgency=medium
* debian/copyright:
Add coverage for all files reported by lintian
file-without-copyright-information warning.
* debian/source/lintian-overrides:
Add file-without-copyright-information override for SPI certificate file.
* sbin/update-ca-certificates:
Restore SELinux label after generating ca-certificates.crt file.
Thanks to Laurent Bigonville for the patch. Closes: #742957
Tidy indentation whitespace.
Thanks to Antonio Terceiro for the patch. Closes: #742663
* debian/control:
Update to Standards-Version: 3.9.6 (no other changes needed).
Update Vcs-Browser link to cgit URL.
-- Michael Shuler <michael@pbandjelly.org> Sun, 19 Oct 2014 10:36:49 -0500
ca-certificates (20140927) unstable; urgency=medium
* Update Mozilla certificate authority bundle to version 2.1.
The following certificate authorities were added (+):
+ "DigiCert Assured ID Root G2"
+ "DigiCert Assured ID Root G3"
+ "DigiCert Global Root G2"
+ "DigiCert Global Root G3"
+ "DigiCert Trusted Root G4"
+ "QuoVadis Root CA 1 G3"
+ "QuoVadis Root CA 2 G3"
+ "QuoVadis Root CA 3 G3"
+ "WoSign"
+ "WoSign China"
The following certificate authorities were removed (-):
- "Entrust.net Secure Server CA"
- "RSA Root Certificate 1"
- "TDC Internet Root CA"
- "ValiCert Class 1 VA"
- "ValiCert Class 2 VA"
* Include clear list of CAs added/removed, as above, and include better note
in README.Debian for trust reconfiguration. Closes: #743365
* Remove debian/config in debian/rules clean target.
* Include d/{changelog,NEWS} entries in 20140223 for duplicate CKA_LABEL
rename of "StartCom Certification Authority"_2.
-- Michael Shuler <michael@pbandjelly.org> Sat, 27 Sep 2014 15:14:00 -0500
ca-certificates (20140325) unstable; urgency=medium
* Update mozilla/certdata.txt to version 1.97+revert_of_936304
Mozilla reverted the removal of 1024-bit root certificates for
Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not update the
version number in nssckbi.h.
Certificates added (+) (none removed):
+ "Entrust.net Secure Server CA"
+ "GTE CyberTrust Global Root"
+ "RSA Root Certificate 1"
+ "ValiCert Class 1 VA"
+ "ValiCert Class 2 VA"
-- Michael Shuler <michael@pbandjelly.org> Tue, 25 Mar 2014 13:28:19 -0500
ca-certificates (20140223) unstable; urgency=medium
* No longer ship cacert.org certificates. Closes: #718434, LP: #1258286
* Fix certdata2pem.py for multiple CAs using the same CKA_LABEL. Thanks
to Marc Deslauriers for the patch. Closes: #683403, LP: #1031333
* Sort local CA certificates on update-ca-certificates runs. Thanks to
Vaclav Ovsik for the suggestion and patch. Closes: #727136
* Add trailing newline to certificate, if it is missing. Closes: #635570
* Update mozilla/certdata.txt to version 1.97.
Certificates added (+), removed (-), and renamed (~):
+ "ACCVRAIZ1"
+ "Atos TrustedRoot 2011"
+ "E-Tugra Certification Authority"
+ "SG TRUST SERVICES RACINE"
+ "StartCom Certification Authority"
~ "StartCom Certification Authority"_2
(both StartCom CAs now included with duplicate CKA_LABEL fix)
+ "T-TeleSec GlobalRoot Class 2"
+ "TWCA Global Root CA"
+ "TeliaSonera Root CA v1"
+ "Verisign Class 3 Public Primary Certification Authority"
~ "Verisign Class 3 Public Primary Certification Authority"_2
(both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
- "Entrust.net Secure Server CA"
- "Firmaprofesional Root CA"
- "GTE CyberTrust Global Root"
- "RSA Root Certificate 1"
- "TDC OCES Root CA"
- "ValiCert Class 1 VA"
- "ValiCert Class 2 VA"
- "Wells Fargo Root CA"
-- Michael Shuler <michael@pbandjelly.org> Sun, 23 Feb 2014 23:22:29 -0600
ca-certificates (20130906) unstable; urgency=low
* Add ca-certificates-local source package example to documentation
* Update local certificate handling in README.Debian.
Closes: #718173, LP: #487845
* Update CA inclusion policy for ca-certificates in README.Debian. With
the exception of SPI and CAcert, only those CAs included in Mozilla's
trust store will be included in ca-certificates in Debian.
Closes: #647848, LP: #103074
* Clarify that not all software that uses SSL uses ca-certificates in
README.Debian. Closes: #664769
* Add mozilla/nssckbi.h to source, since certdata.txt no longer contains
a version number.
* Update debian/copyright to "Copyright: Mozilla Contributors" for
mozilla/{certdata.txt,nssckbi.h}.
* Update mozilla/certdata.txt to version 1.94
Certificates added (+) and removed (-):
+ "CA Disig Root R1"
+ "CA Disig Root R2"
+ "China Internet Network Information Center EV Certificates Root"
+ "D-TRUST Root Class 3 CA 2 2009"
+ "D-TRUST Root Class 3 CA 2 EV 2009"
+ "PSCProcert"
+ "Swisscom Root CA 2"
+ "Swisscom Root EV CA 2"
+ "TURKTRUST Certificate Services Provider Root 2007"
- "Equifax Secure eBusiness CA 2"
- "TC TrustCenter Universal CA III"
-- Michael Shuler <michael@pbandjelly.org> Fri, 06 Sep 2013 11:31:06 -0500
ca-certificates (20130610) unstable; urgency=low
[ Michael Shuler ]
* Install CAcert root and class3 certificates individually, no longer
installing the concatenation of the two. The individual certificates
are installed as cacert.org_root.crt and cacert.org_class3.crt for ease
of identification. Additionally, this allows openssl maintainers to drop
a problematic patch to c_rehash for handling multi-certificate files.
(see #642314) Closes: #692323
* Update Vcs-* fields for lintian vcs-field-not-canonical
* Update to machine-readable debian/copyright file v1.0
[ Thijs Kinkhorst ]
* Drop upgrading code for upgrades from Debian Etch and earlier.
* Remove obsolete debconf.org CA certificate. DebConf now uses an
intermediate certificate signed by SPI. (Closes: #693405)
* Remove obsolete SPI CA certiticate.
* Update Standards-Version: 3.9.4 (no changes needed)
* Clean up man page (LP: #850997).
-- Thijs Kinkhorst <thijs@debian.org> Mon, 10 Jun 2013 19:52:15 +0200
ca-certificates (20130119) unstable; urgency=low
* Update mozilla/certdata.txt to version 1.87 Closes: #697366
Certificates removed (-) (none added):
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
* Remove unneeded and confusing usage of interest-noawait; remove unneeded
Pre-Depends on dpkg. Thanks to Guillem Jover for the help and patch.
Closes: #537051
-- Michael Shuler <michael@pbandjelly.org> Sat, 19 Jan 2013 14:02:09 -0600
ca-certificates (20121114) unstable; urgency=low
[ Don Armstrong ]
* Breaks ca-certificates-java (<<20121112+nmu1); partially fixing #537051.
* Provide update-ca-certificates and update-ca-certificates-fresh
triggers.
* Call the triggers using no-await so that the configuration files from
the newer version of ca-certificates-java are in places before the
upgrade. Closes: #537051.
[ Michael Shuler ]
* Add note to previous mozilla/certdata.txt changelog entry to document
CKT_NSS_MUST_VERIFY_TRUST changes.
-- Michael Shuler <michael@pbandjelly.org> Wed, 14 Nov 2012 23:58:59 -0600
ca-certificates (20121105) unstable; urgency=low
* Update mozilla/certdata.txt to version 1.86 Closes: #683728
- Replace legacy "no explicit trust" flag of CKT_NSS_TRUST_UNKNOWN for
CKT_NSS_MUST_VERIFY_TRUST, instead of a mix of both flags:
https://bugzilla.mozilla.org/show_bug.cgi?id=757189
This upstream fix does not change the CA certificates installed in
ca-certificates as both flags are ignored. Only those CA certificates
with the CKT_NSS_TRUSTED_DELEGATOR flag in certdata.txt are installed.
Certificates added (+) (none removed):
+ "Actalis Authentication Root CA"
+ "Trustis FPS Root CA"
+ "StartCom Certification Authority" (renewal/rehash)
+ "StartCom Certification Authority G2"
+ "Buypass Class 2 Root CA"
+ "Buypass Class 3 Root CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
+ "T-TeleSec GlobalRoot Class 3"
+ "EE Certification Centre Root CA"
* Correct piuparts package remove/purge behavior Closes: #682125
- Remove deletes of /etc/ssl{,/certs} from debian/postrm
-- Michael Shuler <michael@pbandjelly.org> Mon, 05 Nov 2012 10:56:05 -0600
ca-certificates (20120623) unstable; urgency=low
* Add Polish translation, thanks to Michał Kułach. Closes: #660002
* Add Turkish translation, thanks to Atila KOÇ. Closes: #661785
* Correct update-ca-certificates(8) alignment Closes: #666932
* Add note to update-ca-certificates(8) about .crt extension needed for
CA certificates in /usr/local/share/ca-certificates Closes: #595279
* Update mozilla/certdata.txt to version 1.83
Mozilla Public License updated to v2.0
(no added/removed CAs)
* Update debian/copyright to:
- reflect MPL v2.0 update for mozilla/certdata.txt
- specify GPL-2 instead of GPL symlink
* Update debian/NEWS with added/removed certs from 20111211 and 20120212
* Update to Standards-Version: 3.9.3 (no changes needed)
-- Michael Shuler <michael@pbandjelly.org> Sat, 23 Jun 2012 09:16:54 -0500
ca-certificates (20120212) unstable; urgency=low
* Update mozilla/certdata.txt to version 1.81
Certificates added (+) and removed (-):
+ "Security Communication RootCA2"
+ "EC-ACC"
+ "Hellenic Academic and Research Institutions RootCA 2011"
- "Verisign Class 2 Public Primary Certification Authority"
- "Verisign Class 4 Public Primary Certification Authority - G2"
- "TC TrustCenter, Germany, Class 2 CA"
- "TC TrustCenter, Germany, Class 3 CA"
* Add notice to README.Debian deprecating CA inclusions and refer to
#647848 for Debian CA Certificate Policy discussion.
-- Michael Shuler <michael@pbandjelly.org> Sun, 12 Feb 2012 15:12:59 -0600
ca-certificates (20111211) unstable; urgency=low
* Clarify CA audit note in package description and README.debian. Thanks
to C.J. Adams-Collier for the patch. Closes: #594383
* Remove French Government IGC/A CA certificates. The RSA certificate is
included in the Mozilla bundle and the DSA certificate is not in use.
Closes: #646767
* Remove expired signet.pl CAs. Closes: #647849
* Remove expired brasil.gov.br CA.
* Edit 20111025 changelog/NEWS entries to correctly list installed CAs
* Use 'set -e' in body of debian/postinst
* Update mozilla/certdata.txt to version 1.80
(no added/removed CAs)
* Update mozilla/certdata2pem.py to parse NETSCAPE or NSS data
-- Michael Shuler <michael@pbandjelly.org> Sun, 11 Dec 2011 19:05:32 -0600
ca-certificates (20111025) unstable; urgency=low
[ Michael Shuler ]
* Add 3.0 (native) source format
* Add Vcs-Git/Browser fields
* Add myself as new Maintainer with Uploaders Closes: #588219
* Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
Certificates added (+) and removed (-):
+ "AffirmTrust Commercial"
+ "AffirmTrust Networking"
+ "AffirmTrust Premium"
+ "AffirmTrust Premium ECC"
+ "A-Trust-nQual-03"
+ "Certinomis - Autorité Racine"
+ "Certum Trusted Network CA"
+ "Go Daddy Root Certificate Authority - G2"
+ "Root CA Generalitat Valenciana"
+ "Starfield Root Certificate Authority - G2"
+ "Starfield Services Root Certificate Authority - G2"
+ "TWCA Root Certification Authority"
- "AOL Time Warner Root Certification Authority 1"
- "AOL Time Warner Root Certification Authority 2"
- "DigiNotar Root CA"
- "Entrust.net Global Secure Personal CA"
- "Entrust.net Global Secure Server CA"
- "Entrust.net Secure Personal CA"
- "IPS Chained CAs root"
- "IPS CLASE1 root"
- "IPS CLASE3 root"
- "IPS CLASEA1 root"
- "IPS CLASEA3 root"
- "IPS Timestamping root"
- "Thawte Personal Freemail CA"
- "Thawte Time Stamping CA"
* Update CAcert-Class 3-Subroot-certificate Closes: #630232
[ Steve Langasek ]
* sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
the way before calling c_rehash, so that symlinks don't accidentally get
pointed here, breaking openssl certificate verification LP: #854927
[ Loïc Minier ]
* Drop bogus c_rehash on upgrades, which caused issue when
ca-certificates.crt was still in place; instead, call
update-ca-certificates --fresh on upgrades to this version, and
the usual update-ca-certificates otherwise Closes: #643667, #537382
-- Michael Shuler <michael@pbandjelly.org> Tue, 25 Oct 2011 09:12:10 -0500
ca-certificates (20111022) unstable; urgency=low
* QA upload.
* Fix pending l10n issues. Debconf translations:
- German (Helge Kreutzmann). Closes: #634000
- French (Christian Perrier). Closes: #634092
- Russian (Yuri Kozlov). Closes: #635146
- Swedish (Martin Bagge / brother). Closes: #640622
- Slovak (Slavko). Closes: #641987
- Spanish; (Javier Fernández-Sanguino). Closes: #642359
- Japanese (Kenshi Muto). Closes: #644828
- Czech (Miroslav Kure). Closes: #644843
- Danish (Joe Hansen). Closes: #644854
- Italian (Luca Monducci). Closes: #645004
- Dutch; (Jeroen Schot). Closes: #645090
- Portuguese (Miguel Figueiredo). Closes: #645126
- Galician (Jorge Barreiro). Closes: #645138
- Catalan; (Jordi Mallach). Closes: #645182
- Brazilian Portuguese (Adriano Rafael Gomes). Closes: #645526
* Split Choices in debconf templates
* Add build-arch and build-indep build targets
* Bump debhelper compatibility level to 8
* Bump Standards to 3.9.2 (checked)
* Replace "dh_clean -k" by dh_prep
-- Christian Perrier <bubulle@debian.org> Sat, 22 Oct 2011 14:24:00 +0200
ca-certificates (20110502+nmu1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Blacklist "DigiNotar Root CA" (Closes: #639744)
-- Raphael Geissert <geissert@debian.org> Tue, 30 Aug 2011 21:00:55 -0500
ca-certificates (20110502) unstable; urgency=low
* QA upload.
* Mark the package as multi-arch:foreign. (Closes: #622323)
* Use db_settitle in config script to allow translations of the
dialog title; thanks to Frans Pop. (Closes: #560314)
-- Philipp Kern <pkern@debian.org> Mon, 02 May 2011 19:27:50 +0200
ca-certificates (20110421) unstable; urgency=low
* QA upload.
* Package is orphaned, set maintainer to QA group
* Depend on openssl 1.0.0 and force a call of c_rehash so that we have
both the old and new style of symlinks. (Closes: #611102)
* Remove libssl0.9.8 from enhances
* Update mozilla certdata.txt file to the latest version.
Removed:
- ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt
- beTRUSTed_Root_CA-Baltimore_Implementation.crt
- beTRUSTed_Root_CA.crt
- beTRUSTed_Root_CA_-_Entrust_Implementation.crt
- beTRUSTed_Root_CA_-_RSA_Implementation.crt
- Digital_Signature_Trust_Co._Global_CA_2.crt
- Digital_Signature_Trust_Co._Global_CA_4.crt
- Entrust.net_Global_Secure_Personal_CA.crt
- Entrust.net_Global_Secure_Server_CA.crt
- Entrust.net_Secure_Personal_CA.crt
- GTE_CyberTrust_Root_CA.crt
- IPS_Chained_CAs_root.crt
- IPS_CLASE1_root.crt
- IPS_CLASE3_root.crt
- IPS_CLASEA1_root.crt
- IPS_CLASEA3_root.crt
- IPS_Servidores_root.crt
- IPS_Timestamping_root.crt
- RSA_Security_1024_v3.crt
- StartCom_Ltd..crt
- Thawte_Personal_Basic_CA.crt
- Thawte_Personal_Premium_CA.crt
- UTN-USER_First-Network_Applications.crt
- Verisign_RSA_Secure_Server_CA.crt
- Verisign_Time_Stamping_Authority_CA.crt
- Visa_International_Global_Root_2.crt
Added:
- ACEDICOM_Root.crt
- AC_Raíz_Certicámara_S.A..crt
- ApplicationCA_-_Japanese_Government.crt
- Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
- Buypass_Class_2_CA_1.crt
- Buypass_Class_3_CA_1.crt
- CA_Disig.crt
- Certigna.crt
- certSIGN_ROOT_CA.crt
- Chambers_of_Commerce_Root_-_2008.crt
- CNNIC_ROOT.crt
- ComSign_CA.crt
- ComSign_Secured_CA.crt
- Cybertrust_Global_Root.crt
- Deutsche_Telekom_Root_CA_2.crt
- EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
- E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
- ePKI_Root_Certification_Authority.crt
- GeoTrust_Primary_Certification_Authority_-_G2.crt
- GeoTrust_Primary_Certification_Authority_-_G3.crt
- Global_Chambersign_Root_-_2008.crt
- GlobalSign_Root_CA_-_R3.crt
- Hongkong_Post_Root_CA_1.crt
- IGC_A.crt
- Izenpe.com.crt
- Juur-SK.crt
- Microsec_e-Szigno_Root_CA_2009.crt
- Microsec_e-Szigno_Root_CA.crt
- NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
- OISTE_WISeKey_Global_Root_GA_CA.crt
- SecureSign_RootCA11.crt
- Security_Communication_EV_RootCA1.crt
- Staat_der_Nederlanden_Root_CA_-_G2.crt
- S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
- TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
- TC_TrustCenter_Class_2_CA_II.crt
- TC_TrustCenter_Class_3_CA_II.crt
- TC_TrustCenter_Universal_CA_I.crt
- TC_TrustCenter_Universal_CA_III.crt
- thawte_Primary_Root_CA_-_G2.crt
- thawte_Primary_Root_CA_-_G3.crt
- VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
- VeriSign_Universal_Root_Certification_Authority.crt
Changed:
- Verisign_Class_1_Public_Primary_Certification_Authority.crt
- Verisign_Class_3_Public_Primary_Certification_Authority.crt
* Remove telesec.de/deutsche-telekom-root-ca-2.crt, now in mozilla.
* String decode the mozilla certdata.txt so the filenames show up as
proper UTF-8 strings.
-- Kurt Roeckx <kurt@roeckx.be> Thu, 21 Apr 2011 18:56:08 +0200
ca-certificates (20090814+nmu3) unstable; urgency=low
* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
- French (Christian Perrier). Closes: #594231
- Danish (Joe Hansen). Closes: #601129
- Catalan (Jordi Mallach). Closes: #601089
- Brazilian Portuguese (Adriano Rafael Gomes). Closes: #618633
-- Christian Perrier <bubulle@debian.org> Sat, 19 Mar 2011 07:47:00 +0100
ca-certificates (20090814+nmu2) unstable; urgency=low
* Non-maintainer upload.
* Fixes buggy shell functions included in the postinst script.
(Closes: #591607)
-- Maximiliano Curia <maxy@debian.org> Fri, 13 Aug 2010 20:16:21 -0300
ca-certificates (20090814+nmu1) unstable; urgency=low
* Non-maintainer upload.
* Preserve user changes to the /etc/ca-certificates.conf.
(Closes: #514220)
-- Maximiliano Curia <maxy@debian.org> Fri, 30 Jul 2010 12:55:28 -0400
ca-certificates (20090814) unstable; urgency=low
* Call Debconf and its db_purge as early as possible in postrm.
(Closes: #541275)
-- Philipp Kern <pkern@debian.org> Fri, 14 Aug 2009 11:10:00 +0200
ca-certificates (20090709) unstable; urgency=low
* Fix purge by checking for `/etc/ssl/certs' first. (Closes: #536331)
-- Philipp Kern <pkern@debian.org> Thu, 09 Jul 2009 10:35:39 +0200
ca-certificates (20090708) unstable; urgency=low
* Removed CA files:
- cacert.org/root.crt and cacert.org/class3.crt:
Both certificate files were deprecated with 20080809. Users of these
root certificates are encouraged to switch to
`cacert.org/cacert.org.crt' which contains both class 1 and class 3
roots joined in a single file.
- quovadis.bm/QuoVadis_Root_Certification_Authority.crt:
This certificate has been added into the Mozilla truststore and
is available as `mozilla/QuoVadis_Root_CA.crt'.
* Do not redirect c_rehash error messages to /dev/null.
(Closes: #495224)
* Remove dangling symlinks on purge, which also gets rid of the hash
symlink for ca-certificates.crt. (Closes: #475240)
* Use subshells when grepping for certificates in config, avoiding
SIGPIPE because of grep's immediate exit after it finds the pattern.
(Closes: #486737)
* Fix VERBOSE_ARG usage in update-ca-certificates. Thanks to
Robby Workman of Slackware.
* Updated Standards-Version and FSF portal address in the copyright file.
-- Philipp Kern <pkern@debian.org> Wed, 08 Jul 2009 23:19:56 +0200
ca-certificates (20090701) unstable; urgency=low
* Reactivated "Equifax Secure Global eBusiness CA". (Closes: #534674)
Rationale: The rogue collision CA has its validity period in the past.
Thus it does not impose a risk upon us at the moment.
* Restrict search for local certificates to add on files ending with '.crt'.
* Canonicalize PEM names by applying the same set of substitions to
local and other certificates like the Mozilla certdata dumper does.
-- Philipp Kern <pkern@debian.org> Wed, 01 Jul 2009 14:50:00 +0200
ca-certificates (20090624) unstable; urgency=low
* Allow local certificate installation. All certificates found
in `/usr/local/share/ca-certificates' will be automatically added
to the list of trusted certificates in `/etc/ssl/certs'.
(Closes: #352637, #419491, #473677, #476663, #511150)
* Updated Mozilla certificates from nss 3.12.3-1 (certdata.txt revision
1.51):
+ COMODO ECC Certification Authority
+ DigiNotar Root CA
+ Network Solutions Certificate Authority
+ WellsSecure Public Root Certificate Authority
- Equifax Secure Global eBusiness CA
- UTN USERFirst Object Root CA
* Reimplemented the Mozilla certdata parser mainly to exclude explicitly
untrusted certificates. This led to the exclusion of the
"MD5 Collisions Forged Rogue CA 23c3" and its parent
"Equifax Secure Global eBusiness CA". Furthermore code signing-only
certificates are no longer included neither.
* Remove the purging of old PEM files in postinst dating back to
versions earlier than 20030414.
* Hooks are now called at every invocation of `update-ca-certificates'.
If no changes were done to `/etc/ssl/certs', the input for the
hooks will be empty, though. Failure exit codes of hooks will not
tear down the upgrade process anymore. They are printed but ignored.
-- Philipp Kern <pkern@debian.org> Wed, 24 Jun 2009 21:04:08 +0200
ca-certificates (20081127) unstable; urgency=low
* Remove /etc/ssl{,/certs} in postrm to please piuparts. (Closes:
#454334)
-- Philipp Kern <pkern@debian.org> Thu, 27 Nov 2008 19:13:17 +0100
ca-certificates (20080809) unstable; urgency=low
* New cacert.org.pem joining both CACert Class 1 and Class 3 certificates.
This file can be used for proper certificate chaining if CACert
server certificates are used. The old class3.pem and root.pem
certificates are deprecated. This new file could safely serve as
a replacement for both. (Closes: #494343)
* This also reintroduces the old name for the CACert certificate,
thus closing a long-standing bug about its rename to root.crt.
(Closes: #413766)
-- Philipp Kern <pkern@debian.org> Sat, 09 Aug 2008 14:58:24 -0300
ca-certificates (20080617) unstable; urgency=low
* Added French Government's IGC/A CA (both DSA and RSA).
(Closes: #416470)
-- Philipp Kern <pkern@debian.org> Mon, 23 Jun 2008 20:55:53 +0200
ca-certificates (20080616) unstable; urgency=low
* Fix installation on pt_BR locales. The problem was caused by the
.templates choices strings being marked for translation, with pt_BR
being the only language which actually translated them. Thanks to
Ubuntu for the fix, which needs to be around until Lenny is released
or six months have passed, whichever is later. (Closes: #472507)
* Drop Fumitoshi from the list of maintainers. Farewell!
* Bump Standards-Version to 3.8.0.
-- Philipp Kern <pkern@debian.org> Mon, 16 Jun 2008 17:41:50 +0200
ca-certificates (20080514) unstable; urgency=medium
* Added the new SPI CA certificate, created in response to the latest
openssl security update.
* Removed old SPI CA certificates (2006, 2007) as CAs cannot be
revoked sensibly. Expired CA created in 2003, expired in 2007 left
around for reference.
* Updated the Galician translation, thanks to Glennie Vignarajah.
(Closes: #416470)
-- Philipp Kern <pkern@debian.org> Wed, 14 May 2008 10:03:42 +0200
ca-certificates (20080411) unstable; urgency=low
* Added the current SPI CA certificate, used by Debian's infrastructure.
* Added Deutsche Telekom Root CA 2, which is used by German institutions
through the DFN PKI.
* Updated mozilla certificates from trunk, which led to the following
adds (+) and removes (-):
+ Camerfirma Chambers of Commerce Root
+ Camerfirma Global Chambersign Root
+ Certplus Class 2 Primary CA
+ COMODO Certification Authority
+ DigiCert Assured ID Root CA
+ DigiCert Global Root CA
+ DigiCert High Assurance EV Root CA
+ DST ACES CA X6
+ DST Root CA X3
+ Entrust Root Certification Authority
+ Firmaprofesional Root CA
+ GeoTrust Global CA 2
+ GeoTrust Primary Certification Authority
+ GeoTrust Universal CA
+ GeoTrust Universal CA 2
+ GlobalSign Root CA - R2
+ Go Daddy Class 2 CA
+ NetLock Business (Class B) Root
+ NetLock Express (Class C) Root
+ NetLock Notary (Class A) Root
+ NetLock Qualified (Class QA) Root
+ QuoVadis Root CA 2
+ QuoVadis Root CA 3
+ Secure Global CA
+ SecureTrust CA
+ Starfield Class 2 CA
+ StartCom Certification Authority
+ StartCom Ltd.
+ Swisscom Root CA 1
+ SwissSign Gold CA - G2
+ SwissSign Platinum CA - G2
+ SwissSign Silver CA - G2
+ Taiwan GRCA
+ thawte Primary Root CA
+ TURKTRUST Certificate Services Provider Root 1
+ TURKTRUST Certificate Services Provider Root 2
+ VeriSign Class 3 Public Primary Certification Authority - G5
+ Wells Fargo Root CA
+ XRamp Global CA Root
- Verisign Class 1 Public Primary OCSP Responder
- Verisign Class 2 Public Primary OCSP Responder
- Verisign Class 3 Public Primary OCSP Responder
- Verisign Secure Server OCSP Responder
(Closes: #447062, #456581)
* Updated the Russian debconf translation, thanks to Mikhail Gusarov.
(Closes: #434856)
* Reworded the description and made it static to ease translations.
* Reworded and amended README.Debian.
* Added myself to the uploaders of this package.
* Applied a patch by Martin F. Krafft to support hooks scripts
on add/remove of a certificate. (Closes: #377314)
-- Philipp Kern <pkern@debian.org> Sat, 12 Apr 2008 17:35:26 +0200
ca-certificates (20070303-0.1) unstable; urgency=low
* Non-maintainer upload to fix longstanding pending l10n issues.
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project.
Closes: #432249, #434789
* Debconf translation updates:
- Japanese. Closes:#433067
- Basque. Closes: #433074
- Spanish. Closes: #433078
- Czech. Closes: #433100
- Galician. Closes: #433215
- Russian. Closes: #433224
- Swedish. Closes: #433432
- Vietnamese. Closes: #433792, #427000, #434992
- Dutch. Closes: #434670
- German. Closes: #434788
- Italian. Closes: #435029
* Portuguese. Closes: #435471
* Finnish. Closes: #448826
* Remove /etc/ssl when purging the package (only if that
directory is empty). Closes: #454334
* [Lintian] Give a reference to the GPL text in debian/copyright
* [Lintian] No longer ignore errors from "make clean"
* [Lintian] Upgrade debhelper compatibility to 4 (with debian/compat).
-- Christian Perrier <bubulle@debian.org> Thu, 14 Feb 2008 19:52:37 +0100
ca-certificates (20070303) unstable; urgency=low
* Add debconf.org crt. closes: Bug#342088
* Add cacert class3 crt. closes: Bug#350282
* Add debian/po/pt.po. closes: Bug#408183
* Update debian/po/ru.po. closes: Bug#410770
* Update debian/po/pt_BR.po. closes: Bug#403824
* Add debian/po/gl.po. closes: Bug#407951
-- Fumitoshi UKAI <ukai@debian.or.jp> Sun, 4 Mar 2007 14:12:23 +0900
ca-certificates (20061027.2) unstable; urgency=low
* Non-maintainer upload to fix an RC issue revealed by the last NMU.
* Avoid cd to /etc/ssl/certs to removing hash symlinks
Closes: #408469
-- Christian Perrier <bubulle@debian.org> Fri, 2 Feb 2007 07:23:27 +0100
ca-certificates (20061027.1) unstable; urgency=low
* Non-maintainer upload to fix remaining l10n issues
* Debconf translation updates:
- Czech. Closes: #407807
- Spanish. Closes: #401968
- German. Closes: #396942
* Add debconf-updatepo to the clean target in debian/rules
to guarantee up-to-date PO(T) files
-- Christian Perrier <bubulle@debian.org> Mon, 22 Jan 2007 18:56:53 +0100
ca-certificates (20061027) unstable; urgency=low
* sbin/update-ca-certificates:
in fresh mode, rm symlinks only point to /usr/share/ca-certificates.
preserve other symlinks. closes: Bug#387089
* debian/po/nl.po: updated
closes: Bug#386767
* debian/po/fr.po: updated
closes: Bug#386806
* debian/po/da.po: updated
closes: Bug#388018
-- Fumitoshi UKAI <ukai@debian.or.jp> Sat, 28 Oct 2006 02:28:50 +0900
ca-certificates (20060816) unstable; urgency=low
* debian/control: explicitly mention that trustworthiness of certificate
authorities is not evaluated.
closes: Bug#350726
* debian/templates: refine messages
closes: Bug#309481
* debian/postinst: remove tailing spaces to avoid unnecessary dpkg-old file.
closes: Bug#349346
* debian/control: libssl0.9.7->libssl0.9.8
closes: Bug#345197
* debian/postrm: remove .dpkg-old files
closes: Bug#349351
* debian/README.Debian: fix
closes: Bug#354509
* debian/postinst: fix typo
closes: Bug#355271
* debian/po/sv.po: added
closes: Bug#330984
* debian/po/es.po: added
closes: Bug#334383
* add new SPI CA certificate
submitted by Michael C. Schultheiss <schultmc@debian.org>
-- Fumitoshi UKAI <ukai@debian.or.jp> Thu, 17 Aug 2006 13:12:27 +0900
ca-certificates (20050804) unstable; urgency=low
* use ${misc:Depends} in debian/control for debconf
* update description in debian/control
closes: Bug#309547
* update debian/po/vi.po
closes: Bug#313186
* update debian/po/de.po
closes: Bug#313678
-- Fumitoshi UKAI <ukai@debian.or.jp> Thu, 4 Aug 2005 01:29:38 +0900
ca-certificates (20050518) unstable; urgency=high
* fix ca-certificates.crt generationumask-sensitive and racy
closes: Bug#296212
* update mozilla/certdata.txt
add: "Certum Root CA", "Comodo AAA Services root"
"Comodo Secure Services root",
"Comodo Trusted Services root",
"IPS Chained CAs root", "IPS CLASE1 root", "IPS CLASE3 root",
"IPS CLASEA1 root", "IPS CLASEA3 root", "IPS Servidores root"
"IPS Timestamping root",
"QuoVadis Root CA",
"Security Communication Root CA",
"Sonera Class 1 Root CA", "Sonera Class 2 Root CA",
"Staat der Nederlanden Root CA",
"TDC Internet Root CA", "TDC OCES Root CA",
"UTN DATACorp SGC Root CA", "UTN USERFirst Email Root CA",
"UTN USERFirst Hardware Root CA", "UTN USERFirst Object Root CA"
* add CACert.org's Root CA
closes: Bug#213086, Bug#288293
* add debian/po/vi.po
closes: Bug#309480
* add debian/po/cs.po
closes: Bug#309019
* write "How certificate will be accepted in ca-certificates package"
in README.Debain
-- Fumitoshi UKAI <ukai@debian.or.jp> Wed, 18 May 2005 00:40:54 +0900
ca-certificates (20040809) unstable; urgency=low
* previous version was not fixed Bug#255933 correctly.
update-ca-certificates now remove symlinks of deselected entries
in ca-certificates.conf
closes: Bug#255933
-- Fumitoshi UKAI <ukai@debian.or.jp> Mon, 9 Aug 2004 03:23:20 +0900
ca-certificates (20040808) unstable; urgency=low
* run update-ca-certificates by /bin/sh -e
closes: Bug#247581
* update-ca-certificates remove symlinks of deselected entries
in ca-certificates.conf
closes: Bug#255933
* change default of trust_new_crts from 'ask' to 'yes'
closes: Bug#218838, Bug#221527, Bug#236675, Bug#247509
* refer libssl0.9.7 instead of libssl0.9.6 in Enhances:
closes: Bug#251158
* add brasil.gov.br certs
closes: Bug#224612
* add Signet CA Roots certs
closes: Bug#233206
* add QuoVadis CA Roots certs
closes: Bug#250847
* update pt_BR.po
closes: Bug#218812
* add da.po
closes: Bug#235322
* add ca.po
closes: Bug#237124
* add nl.po
closes: Bug#23840
* add de.po
closes: Bug#250785
* fix quote characters in template
closes: Bug#255738
* remove debian.org, because certs used in db.debian.org has been
revoked due to debian.org crack incidents.
db.debian.org uses certificates using spi-inc.org Root CA.
-- Fumitoshi UKAI <ukai@debian.or.jp> Sun, 8 Aug 2004 10:58:30 +0900
ca-certificates (20031007.1) unstable; urgency=low
* NMU
* Add brasil.gov.br/brasil.gov.br.crt, created from
http://www.icpbrasil.gov.br/certificadoACRaiz.crt
* Add debian/po/pt_BR.po: closes: Bug#224612
-- Otavio Salvador <otavio@debian.org> Thu, 5 Aug 2004 12:16:26 -0300
ca-certificates (20031007) unstable; urgency=low
* add debian/po/ru.po: closes: Bug#214371
-- Fumitoshi UKAI <ukai@debian.or.jp> Tue, 7 Oct 2003 03:06:06 +0900
ca-certificates (20030924) unstable; urgency=low
* add debian/po/ja.po: closes: Bug#212565
-- Fumitoshi UKAI <ukai@debian.or.jp> Wed, 24 Sep 2003 22:09:09 +0900
ca-certificates (20030916) unstable; urgency=low
* add debian/po/fr.po: closes: Bug#211224, Bug#206769
* debian/config: if new cert is asked, don't ask all available certs
closes: Bug#211199
-- Fumitoshi UKAI <ukai@debian.or.jp> Wed, 17 Sep 2003 02:12:14 +0900
ca-certificates (20030915) unstable; urgency=low
* debian/config.in: fix typo. closes: Bug#190990
* add option for new CA certificates. closes: Bug#190989
* switch to gettext-based debconf templates. closes: Bug#205782
* update mozilla/certdata.txt from mozilla 1.4 release
-- Fumitoshi UKAI <ukai@debian.or.jp> Mon, 15 Sep 2003 01:15:04 +0900
ca-certificates (20030420) unstable; urgency=low
* add README.Debian and update-ca-certificates(8). closes: Bug#189604
* fix broken English in debconf template. closes: Bug#189606
* don't remove symlinks in /etc/ssl/certs. closes: Bug#189607
* preserve comments in /etc/ca-certificates.conf when upgrading.
closes: Bug#189611
-- Fumitoshi UKAI <ukai@debian.or.jp> Mon, 21 Apr 2003 00:06:01 +0900
ca-certificates (20030415) unstable; urgency=medium
* fix upgrade problem
closes: Bug#188938, Bug#188940
* purge debconf
-- Fumitoshi UKAI <ukai@debian.or.jp> Mon, 14 Apr 2003 23:00:58 +0900
ca-certificates (20030414) unstable; urgency=medium
* certificates are installed in /usr/share/ca-certificates
you can find md5sum of certs files. closes: Bug#170777
* debconf to generate /etc/ca-certificates.conf
* update-ca-certificates update /etc/ssl/certs according
/etc/ca-certificates.conf
It also generate /etc/ssl/certs/ca-certificates.crt
which is single-file version of certs.
closes: Bug#158904
* change extension from .pem to .crt in /usr/share/ca-certificates
- /etc/mime.types:
application/x-x509-ca-cert crt
but it will be hardlink or copied in /etc/ssl/certs with .pem
extension by update-ca-certificates.
c_rehash requires .pem extension
* Update certificate from mozilla 2:1.3-4
mozilla/security/nss/lib/ckfw/builtins/certdata.txt
cefd05b299ea683fc6b1ce9ff1e23a3f mozilla/certdata.txt
* Add spi-inc.org/spi-ca.crt from http://www.spi-inc.org/secretary/
33922a1660820e44812e7ddc392878cb spi-inc.org/spi-ca.crt
% openssl x509 -in spi-inc.org/spi-ca.crt -fingerprint -noout
MD5 Fingerprint=ED:85:3A:FD:32:43:13:73:91:4D:94:06:C4:10:EB:E5
-- Fumitoshi UKAI <ukai@debian.or.jp> Mon, 14 Apr 2003 00:02:48 +0900
ca-certificates (20020323) unstable; urgency=low
* Moved from non-US to main now that openssl has moved there.
-- Fumitoshi UKAI <ukai@debian.or.jp> Sun, 24 Mar 2002 03:11:54 +0900
ca-certificates (20020208) unstable; urgency=low
* add db.debian.org certificate
-- Fumitoshi UKAI <ukai@debian.or.jp> Fri, 8 Feb 2002 23:46:11 +0900
ca-certificates (20020112) unstable; urgency=low
* upload to non-US instead of main, because it depends on openssl
(it uses c_rehash in openssl in maintainer scripts)
-- Fumitoshi UKAI <ukai@debian.or.jp> Sun, 13 Jan 2002 04:30:28 +0900
ca-certificates (20020107) unstable; urgency=low
* Initial Release. closes: Bug#126586
-- Fumitoshi UKAI <ukai@debian.or.jp> Mon, 7 Jan 2002 21:16:51 +0900
|