-
ca-certificates (20240203) unstable; urgency=medium
[ Jeffrey Walton ]
* update-ca-certificates man page updates
* fix shellcheck warnings (closes: #1058658, #981663)
[ Gioele Barabucci ]
* Use standard dh sequence (closes: #1050112)
[ Julien Cristau ]
* Update Mozilla certificate authority bundle to version 2.64
The following certificate authorities were added (+):
+ Atos TrustedRoot Root CA ECC TLS 2021
+ Atos TrustedRoot Root CA RSA TLS 2021
+ BJCA Global Root CA1
+ BJCA Global Root CA2
+ CommScope Public Trust ECC Root-01
+ CommScope Public Trust ECC Root-02
+ CommScope Public Trust RSA Root-01
+ CommScope Public Trust RSA Root-02
+ Sectigo Public Server Authentication Root E46
+ Sectigo Public Server Authentication Root R46
+ SSL.com TLS ECC Root CA 2022
+ SSL.com TLS RSA Root CA 2022
+ TrustAsia Global Root CA G3
+ TrustAsia Global Root CA G4
The following certificate authorities were removed (-):
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- E-Tugra Certification Authority (closes: #1032916)
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Hongkong Post Root CA 1
- TrustCor ECA-1
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2 (closes: #1023945)
-- Julien Cristau <email address hidden> Sun, 04 Feb 2024 10:41:43 +0100
-
ca-certificates (20230311) unstable; urgency=medium
[ Đoàn Trần Công Danh ]
* ca-certificates: compat with non-GNU mktemp (closes: #1000847)
[ Ilya Lipnitskiy ]
* certdata2pem.py: use UTC time when checking cert validity
[ Julien Cristau ]
* Update Mozilla certificate authority bundle to version 2.60
The following certificate authorities were added (+):
+ "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+ "Certainly Root E1"
+ "Certainly Root R1"
+ "D-TRUST BR Root CA 1 2020"
+ "D-TRUST EV Root CA 1 2020"
+ "DigiCert TLS ECC P384 Root G5"
+ "DigiCert TLS RSA4096 Root G5"
+ "E-Tugra Global Root CA ECC v3"
+ "E-Tugra Global Root CA RSA v3"
+ "HARICA TLS ECC Root CA 2021"
+ "HARICA TLS RSA Root CA 2021"
+ "HiPKI Root CA - G1"
+ "ISRG Root X2"
+ "Security Communication ECC RootCA1"
+ "Security Communication RootCA3"
+ "Telia Root CA v2"
+ "TunTrust Root CA"
+ "vTrus ECC Root CA"
+ "vTrus Root CA"
The following certificate authorities were removed (-):
- "Cybertrust Global Root" (expired)
- "EC-ACC"
- "GlobalSign Root CA - R2" (expired)
- "Hellenic Academic and Research Institutions RootCA 2011"
- "Network Solutions Certificate Authority"
- "Staat der Nederlanden EV Root CA" (expired)
* Drop trailing space from debconf template causing misformatting
(closes: #980821)
[ Wataru Ashihara ]
* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)
-- Julien Cristau <email address hidden> Sat, 11 Mar 2023 09:47:05 +0100
-
ca-certificates (20211016) unstable; urgency=low
[ Michael Shuler ]
* Fix error on install when TEMPBUNDLE missing. Closes: #996005
-- Julien Cristau <email address hidden> Sat, 16 Oct 2021 18:09:43 +0200
-
ca-certificates (20211004) unstable; urgency=low
[ Debian Janitor ]
* Fix day-of-week for changelog entry 20090624.
[ Julien Cristau ]
* Create temporary ca-certificates.crt on the same file system.
Closes: #923784
* Don't remove ca-certificates.crt before updating it, so it doesn't
go missing for a short while (closes: #920348). Thanks, Dimitris
Aragiorgis!
* Bump package priority from optional to standard.
* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
bundle to version 2.50
The following certificate authorities were added (+):
+ "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
+ "GlobalSign Root R46"
+ "GlobalSign Root E46"
+ "GLOBALTRUST 2020"
+ "ANF Secure Server Root CA"
+ "Certum EC-384 CA"
+ "Certum Trusted Root CA"
The following certificate authorities were removed (-):
- "QuoVadis Root CA"
- "Sonera Class 2 Root CA"
- "GeoTrust Primary Certification Authority - G2"
- "VeriSign Universal Root Certification Authority"
- "Chambers of Commerce Root - 2008"
- "Global Chambersign Root - 2008"
- "Trustis FPS Root CA"
- "Staat der Nederlanden Root CA - G3"
* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
* mozilla/certdata2pem.py: print a warning for expired certificates.
-- Julien Cristau <email address hidden> Thu, 07 Oct 2021 17:12:47 +0200
-
ca-certificates (20210119) unstable; urgency=medium
[ Julien Cristau ]
* New maintainer (closes: #976406)
* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
bundle to version 2.46.
The following certificate authorities were added (+):
+ "certSIGN ROOT CA G2"
+ "e-Szigno Root CA 2017"
+ "Microsoft ECC Root Certificate Authority 2017"
+ "Microsoft RSA Root Certificate Authority 2017"
+ "NAVER Global Root Certification Authority"
+ "Trustwave Global Certification Authority"
+ "Trustwave Global ECC P256 Certification Authority"
+ "Trustwave Global ECC P384 Certification Authority"
The following certificate authorities were removed (-):
- "EE Certification Centre Root CA"
- "GeoTrust Universal CA 2"
- "LuxTrust Global Root 2"
- "OISTE WISeKey Global Root GA CA"
- "Staat der Nederlanden Root CA - G2" (closes: #962079)
- "Taiwan GRCA"
- "Verisign Class 3 Public Primary Certification Authority - G3"
[ Michael Shuler ]
* mozilla/blacklist:
Revert Symantec CA blacklist (#911289). Closes: #962596
The following root certificates were added back (+):
+ "GeoTrust Primary Certification Authority - G2"
+ "VeriSign Universal Root Certification Authority"
[ Gianfranco Costamagna ]
* debian/{rules,control}:
Merge Ubuntu patch from Matthias Klose to use Python3 during build.
Closes: #942915
-- Julien Cristau <email address hidden> Tue, 19 Jan 2021 11:11:04 +0100
-
ca-certificates (20200601) unstable; urgency=medium
* debian/control:
Set Standards-Version: 4.5.0.2
Set Build-Depends: debhelper-compat (= 13)
* debian/copyright:
Replace tabs in license text
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.40.
Closes: #956411, #955038
* mozilla/blacklist.txt
Add distrusted Symantec CA list to blacklist for explicit removal.
Closes: #911289
Blacklist expired root certificate, "AddTrust External Root"
Closes: #961907
The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"
The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"
-- Michael Shuler <email address hidden> Mon, 01 Jun 2020 11:45:49 -0500
-
ca-certificates (20200601~deb10u2) buster; urgency=medium
[ Julien Cristau ]
* New maintainer (see #976406)
[ Michael Shuler ]
* mozilla/blacklist:
Revert Symantec CA blacklist (#911289). Closes: #962596, #968002.
The following root certificates were added back (+):
+ "GeoTrust Global CA"
+ "GeoTrust Primary Certification Authority"
+ "GeoTrust Primary Certification Authority - G2"
+ "GeoTrust Primary Certification Authority - G3"
+ "GeoTrust Universal CA"
+ "thawte Primary Root CA"
+ "thawte Primary Root CA - G2"
+ "thawte Primary Root CA - G3"
+ "VeriSign Class 3 Public Primary Certification Authority - G4"
+ "VeriSign Class 3 Public Primary Certification Authority - G5"
+ "VeriSign Universal Root Certification Authority"
Note: due to bug #743339, CA certificates added back in this version
won't automatically be trusted again on upgrade. Affected users may
need to reconfigure the package to restore the desired state.
-- Julien Cristau <email address hidden> Thu, 28 Jan 2021 13:01:43 +0100
-
ca-certificates (20200601~deb10u1) buster; urgency=medium
* Rebuild for buster.
* Merge changes from 20200601
- d/control; set d/gbp.conf branch to debian-buster
* This release updates the Mozilla CA bundle to 2.40, blacklists
distrusted Symantec roots, and blacklists expired "AddTrust External
Root". Closes: #956411, #955038, #911289, #961907
-- Michael Shuler <email address hidden> Wed, 03 Jun 2020 13:09:34 -0500
-
ca-certificates (20190110) unstable; urgency=high
* debian/control:
Depend on openssl (>= 1.1.1).
Set Standards-Version: 4.3.0.1.
Set Build-Depends: debhelper-compat (= 12); drop d/compat
Remove trailing whitespace from d/changelog.
* debian/ca-certificates.postinst:
Fix permissions on /usr/local/share/ca-certificates when using symlinks.
Closes: #916833
* sbin/update-ca-certificates:
Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl
rehash` from exiting with an error. Closes: #895482, #895473
This will also fix removal of user CA certificates from /usr/local without
needing to run --fresh. Closes: #911303
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.28.
The following certificate authorities were added (+):
+ "GlobalSign Root CA - R6"
+ "OISTE WISeKey Global Root GC CA"
The following certificate authorities were removed (-):
- "Certplus Root CA G1"
- "Certplus Root CA G2"
- "OpenTrust Root CA G1"
- "OpenTrust Root CA G2"
- "OpenTrust Root CA G3"
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
- "Visa eCommerce Root"
-- Michael Shuler <email address hidden> Thu, 10 Jan 2019 19:31:31 -0600
-
ca-certificates (20180409) unstable; urgency=medium
[ Michael Shuler ]
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.22.
The following certificate authorities were added (+):
+ "GDCA TrustAUTH R5 ROOT"
+ "SSL.com EV Root Certification Authority ECC"
+ "SSL.com EV Root Certification Authority RSA R2"
+ "SSL.com Root Certification Authority ECC"
+ "SSL.com Root Certification Authority RSA"
+ "TrustCor ECA-1"
+ "TrustCor RootCert CA-1"
+ "TrustCor RootCert CA-2"
The following certificate authorities were removed (-):
- "ACEDICOM Root"
- "AddTrust Low-Value Services Root"
- "AddTrust Public Services Root"
- "AddTrust Qualified Certificates Root"
- "CA Disig Root R1"
- "CNNIC ROOT"
- "Camerfirma Chambers of Commerce Root"
- "Camerfirma Global Chambersign Root"
- "Certinomis - Autorité Racine"
- "Certum Root CA"
- "China Internet Network Information Center EV Certificates Root"
- "Comodo Secure Services root"
- "Comodo Trusted Services root"
- "DST ACES CA X6"
- "GeoTrust Global CA 2"
- "PSCProcert"
- "Security Communication EV RootCA1"
- "Swisscom Root CA 1"
- "Swisscom Root CA 2"
- "Swisscom Root EV CA 2"
- "TURKTRUST Certificate Services Provider Root 2007"
- "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- "UTN USERFirst Hardware Root CA"
* mozilla/blacklist.txt
Update blacklist to remove certificates no longer in certdata.txt and
explicitly ignore distrusted certificates.
* debian/copyright:
Fix lintian insecure-copyright-format-uri with https URL.
* debian/changelog:
Fix lintian file-contains-trailing-whitespace.
* debian/{compat,control}:
Set to debhelper compat 11.
* Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
usage of `c_rehash` script. Closes: #895075
[ Thijs Kinkhorst ]
* Remove Christian Perrier from uploaders at his request (closes: #894070).
* Checked for policy 4.1.4, no changes.
-- Michael Shuler <email address hidden> Mon, 09 Apr 2018 18:43:49 -0500
-
ca-certificates (20170717) unstable; urgency=medium
* Update to Standards-Version: 4.0.1
* debian/ca-certificates.postinst:
Prevent postinst failure on read-only /usr/local. Closes: #843722
* mozilla/certdata2pem.py:
Remove email-only roots from mozilla trust store. Closes: #721976
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.14.
Closes: #858064
The following certificate authorities were added (+):
+ "AC RAIZ FNMT-RCM"
+ "Amazon Root CA 1"
+ "Amazon Root CA 2"
+ "Amazon Root CA 3"
+ "Amazon Root CA 4"
+ "D-TRUST Root CA 3 2013"
+ "LuxTrust Global Root 2"
+ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
The following certificate authorities were removed (-):
- "AC Raiz Certicamara S.A."
- "ApplicationCA - Japanese Government"
- "Buypass Class 2 CA 1"
- "ComSign CA"
- "EBG Elektronik Sertifika Hizmet Saglayicisi"
- "Equifax Secure CA"
- "Equifax Secure eBusiness CA 1"
- "Equifax Secure Global eBusiness CA"
- "IGC/A"
- "Juur-SK"
- "Microsec e-Szigno Root CA"
- "Root CA Generalitat Valenciana"
- "RSA Security 2048 v3"
- "S-TRUST Authentication and Encryption Root CA 2005 PN"
- "S-TRUST Universal Root CA"
- "SwissSign Platinum CA - G2"
- "TC TrustCenter Class 3 CA II"
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
- "UTN USERFirst Email Root CA"
- "Verisign Class 1 Public Primary Certification Authority"
- "Verisign Class 1 Public Primary Certification Authority - G3"
- "Verisign Class 2 Public Primary Certification Authority - G2"
- "Verisign Class 2 Public Primary Certification Authority - G3"
- "Verisign Class 3 Public Primary Certification Authority"
- "WellsSecure Public Root Certificate Authority"
-- Michael Shuler <email address hidden> Thu, 20 Jul 2017 00:18:08 -0500
-
ca-certificates (20161130+nmu1+deb9u1) stretch; urgency=medium
* debian/ca-certificates.postinst:
Prevent postinst failure on read-only /usr/local. Closes: #843722
* debian/control:
Remove Christian Perrier from uploaders at his request. Closes: #894070
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.22.
Closes: #858064
The following certificate authorities were added (+):
+ "AC RAIZ FNMT-RCM"
+ "Amazon Root CA 1"
+ "Amazon Root CA 2"
+ "Amazon Root CA 3"
+ "Amazon Root CA 4"
+ "D-TRUST Root CA 3 2013"
+ "GDCA TrustAUTH R5 ROOT"
+ "LuxTrust Global Root 2"
+ "SSL.com EV Root Certification Authority ECC"
+ "SSL.com EV Root Certification Authority RSA R2"
+ "SSL.com Root Certification Authority ECC"
+ "SSL.com Root Certification Authority RSA"
+ "Symantec Class 1 Public Primary Certification Authority - G4"
+ "Symantec Class 1 Public Primary Certification Authority - G6"
+ "Symantec Class 2 Public Primary Certification Authority - G4"
+ "Symantec Class 2 Public Primary Certification Authority - G6"
+ "TrustCor ECA-1"
+ "TrustCor RootCert CA-1"
+ "TrustCor RootCert CA-2"
+ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
The following certificate authorities were removed (-):
- "ACEDICOM Root"
- "AddTrust Public Services Root"
- "AddTrust Qualified Certificates Root"
- "ApplicationCA - Japanese Government"
- "Buypass Class 2 CA 1"
- "CA Disig Root R1"
- "Certinomis - Autorité Racine"
- "China Internet Network Information Center EV Certificates Root"
- "CNNIC ROOT"
- "Comodo Secure Services root"
- "Comodo Trusted Services root"
- "DST ACES CA X6"
- "EBG Elektronik Sertifika Hizmet Saglayicisi"
- "Equifax Secure CA"
- "Equifax Secure eBusiness CA 1"
- "Equifax Secure Global eBusiness CA"
- "GeoTrust Global CA 2"
- "IGC/A"
- "Juur-SK"
- "Microsec e-Szigno Root CA"
- "PSCProcert"
- "Root CA Generalitat Valenciana"
- "RSA Security 2048 v3"
- "Security Communication EV RootCA1"
- "S-TRUST Authentication and Encryption Root CA 2005 PN"
- "Swisscom Root CA 1"
- "Swisscom Root EV CA 2"
- "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- "TURKTRUST Certificate Services Provider Root 2007"
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
- "UTN USERFirst Hardware Root CA"
- "Verisign Class 1 Public Primary Certification Authority"
- "Verisign Class 2 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"
- "WellsSecure Public Root Certificate Authority"
-- Michael Shuler <email address hidden> Sat, 07 Jul 2018 01:08:40 +0200
-
ca-certificates (20161130+nmu1) unstable; urgency=medium
* Non-maintainer upload.
* Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
now untrusted by the major browser vendors. Closes: #858539
-- Chris Lamb <email address hidden> Fri, 19 May 2017 16:53:16 +0200
-
ca-certificates (20161130) unstable; urgency=medium
[ Philipp Kern ]
* Add ca-certificates udeb package. Closes: #845456
[ Michael Shuler ]
* debian/{compat,control}:
Update to compat level 10 and debhelper (>= 10)
Shorten package description.
* debian/po/id.po
Update Indonesian debconf translation file for build time line reorder
-- Michael Shuler <email address hidden> Wed, 30 Nov 2016 21:20:53 -0600
-
ca-certificates (20161102) unstable; urgency=medium
[ Michael Shuler ]
* debian/control:
Update to Standards-Version: 3.9.8
Update to Vcs-Browser/Vcs-Git: https URLs
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.9.
Thanks for the initial 2.7 patch, Jonathan Wiltshire. Closes: #828845
The following certificate authorities were added (+):
+ "Certplus Root CA G1"
+ "Certplus Root CA G2"
+ "Certum Trusted Network CA 2"
+ "Hellenic Academic and Research Institutions ECC RootCA 2015"
+ "Hellenic Academic and Research Institutions RootCA 2015"
+ "ISRG Root X1"
+ "OpenTrust Root CA G1"
+ "OpenTrust Root CA G2"
+ "OpenTrust Root CA G3"
+ "SZAFIR ROOT CA2"
The following certificate authorities were removed (-):
- "CA Disig"
- "NetLock Business (Class B) Root"
- "NetLock Express (Class C) Root"
- "NetLock Notary (Class A) Root"
- "NetLock Qualified (Class QA) Root"
- "Sonera Class 1 Root CA"
- "Staat der Nederlanden Root CA"
- "Verisign Class 1 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"
- "Verisign Class 3 Public Primary Certification Authority - G2"
[ Andreas Beckmann ]
* debian/postinst:
Run update-certificates without hooks to initially populate
/etc/ssl/certs. (The hooks are deferred to the noawait trigger.)
Closes: #825730
[ Izharul Haq ]
* debian/po/id.po:
Add Indonesian debconf translation. Thank you, Izharul! Closes: #835156
-- Michael Shuler <email address hidden> Wed, 02 Nov 2016 21:15:03 -0500
-
ca-certificates (20160104) unstable; urgency=medium
* debian/rules:
Sort certificate list for reproducible builds. Closes: #808711
* mozilla/certdata2pem.py:
Drop old CK*_NETSCAPE trust flag checks
-- Michael Shuler <email address hidden> Mon, 04 Jan 2016 11:08:26 -0600
-
ca-certificates (20151214) unstable; urgency=medium
* Removed SPI CA. Closes: #796208
* debian/{compat,control}:
Updated d/compat to version 9 and updated Build-Depends.
* debian/postinst:
Handle /usr/local/share/ca-certificates permissions and ownership on
upgrade. Closes: #611501
* mozilla/certdata2pem.py:
Add Python 3 support to ca-certificates.
Thanks to Andrew Wilcox and Richard Ipsum for the patch! Closes: #789753
* sbin/update-ca-certificates:
Update local certificates directory when calling --fresh.
Thanks for the patch, Daniel Lutz! Closes: #783615
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.6.
The following certificate authorities were added (+):
+ "CA WoSign ECC Root"
+ "Certification Authority of WoSign G2"
+ "Certinomis - Root CA"
+ "OISTE WISeKey Global Root GB CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
The following certificate authorities were removed (-):
- "A-Trust-nQual-03"
- "Buypass Class 3 CA 1"
- "ComSign Secured CA"
- "Digital Signature Trust Co. Global CA 1"
- "Digital Signature Trust Co. Global CA 3"
- "SG TRUST SERVICES RACINE"
- "TC TrustCenter Class 2 CA II"
- "TC TrustCenter Universal CA I"
- "TURKTRUST Certificate Services Provider Root 1"
- "TURKTRUST Certificate Services Provider Root 2"
- "UTN DATACorp SGC Root CA"
- "Verisign Class 4 Public Primary Certification Authority - G3"
-- Michael Shuler <email address hidden> Mon, 14 Dec 2015 18:51:50 -0600
-
ca-certificates (20150426) unstable; urgency=medium
* debian/postinst:
Set mode and group of /usr/local/share/ca-certificates based on current
/usr/local permissions and ownership. Closes: #611501
* sbin/update-ca-certificates:
Allow customisation of the paths used by update-ca-certificates.
Add an option to set the certs in a directory to the defaults.
Thanks for the patches, Paul Wise. Closes: #774059, #774201
Fix shellcheck warnings and a little indentation.
* sbin/update-ca-certificates.8:
Correct concatenated file name in man page from certificates.crt to
ca-certificates.crt. Closes: #782230
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.4.
The following certificate authorities were added (+):
+ "CFCA EV ROOT"
+ "COMODO RSA Certification Authority"
+ "Entrust Root Certification Authority - EC1"
+ "Entrust Root Certification Authority - G2"
+ "GlobalSign ECC Root CA - R4"
+ "GlobalSign ECC Root CA - R5"
+ "IdenTrust Commercial Root CA 1"
+ "IdenTrust Public Sector Root CA 1"
+ "S-TRUST Universal Root CA"
+ "Staat der Nederlanden EV Root CA"
+ "Staat der Nederlanden Root CA - G3"
+ "USERTrust ECC Certification Authority"
+ "USERTrust RSA Certification Authority" Closes: #762709
The following certificate authorities were removed (-):
- "America Online Root Certification Authority 1"
- "America Online Root Certification Authority 2"
- "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
- "GTE CyberTrust Global Root"
- "Thawte Premium Server CA"
- "Thawte Server CA"
-- Michael Shuler <email address hidden> Sun, 26 Apr 2015 10:37:48 -0500
-
ca-certificates (20141019) unstable; urgency=medium
* debian/copyright:
Add coverage for all files reported by lintian
file-without-copyright-information warning.
* debian/source/lintian-overrides:
Add file-without-copyright-information override for SPI certificate file.
* sbin/update-ca-certificates:
Restore SELinux label after generating ca-certificates.crt file.
Thanks to Laurent Bigonville for the patch. Closes: #742957
Tidy indentation whitespace.
Thanks to Antonio Terceiro for the patch. Closes: #742663
* debian/control:
Update to Standards-Version: 3.9.6 (no other changes needed).
Update Vcs-Browser link to cgit URL.
-- Michael Shuler <email address hidden> Sun, 19 Oct 2014 10:36:49 -0500
-
ca-certificates (20140927) unstable; urgency=medium
* Update Mozilla certificate authority bundle to version 2.1.
The following certificate authorities were added (+):
+ "DigiCert Assured ID Root G2"
+ "DigiCert Assured ID Root G3"
+ "DigiCert Global Root G2"
+ "DigiCert Global Root G3"
+ "DigiCert Trusted Root G4"
+ "QuoVadis Root CA 1 G3"
+ "QuoVadis Root CA 2 G3"
+ "QuoVadis Root CA 3 G3"
+ "WoSign"
+ "WoSign China"
The following certificate authorities were removed (-):
- "Entrust.net Secure Server CA"
- "RSA Root Certificate 1"
- "TDC Internet Root CA"
- "ValiCert Class 1 VA"
- "ValiCert Class 2 VA"
* Include clear list of CAs added/removed, as above, and include better note
in README.Debian for trust reconfiguration. Closes: #743365
* Remove debian/config in debian/rules clean target.
* Include d/{changelog,NEWS} entries in 20140223 for duplicate CKA_LABEL
rename of "StartCom Certification Authority"_2.
-- Michael Shuler <email address hidden> Sat, 27 Sep 2014 15:14:00 -0500
-
ca-certificates (20140325) unstable; urgency=medium
* Update mozilla/certdata.txt to version 1.97+revert_of_936304
Mozilla reverted the removal of 1024-bit root certificates for
Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not update the
version number in nssckbi.h.
Certificates added (+) (none removed):
+ "Entrust.net Secure Server CA"
+ "GTE CyberTrust Global Root"
+ "RSA Root Certificate 1"
+ "ValiCert Class 1 VA"
+ "ValiCert Class 2 VA"
-- Michael Shuler <email address hidden> Tue, 25 Mar 2014 13:28:19 -0500
-
ca-certificates (20140223) unstable; urgency=medium
* No longer ship cacert.org certificates. Closes: #718434, LP: #1258286
* Fix certdata2pem.py for multiple CAs using the same CKA_LABEL. Thanks
to Marc Deslauriers for the patch. Closes: #683403, LP: #1031333
* Sort local CA certificates on update-ca-certificates runs. Thanks to
Vaclav Ovsik for the suggestion and patch. Closes: #727136
* Add trailing newline to certificate, if it is missing. Closes: #635570
* Update mozilla/certdata.txt to version 1.97.
Certificates added (+), removed (-), and renamed (~):
+ "ACCVRAIZ1"
+ "Atos TrustedRoot 2011"
+ "E-Tugra Certification Authority"
+ "SG TRUST SERVICES RACINE"
+ "T-TeleSec GlobalRoot Class 2"
+ "TWCA Global Root CA"
+ "TeliaSonera Root CA v1"
+ "Verisign Class 3 Public Primary Certification Authority"
~ "Verisign Class 3 Public Primary Certification Authority"_2
(both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
- "Entrust.net Secure Server CA"
- "Firmaprofesional Root CA"
- "GTE CyberTrust Global Root"
- "RSA Root Certificate 1"
- "TDC OCES Root CA"
- "ValiCert Class 1 VA"
- "ValiCert Class 2 VA"
- "Wells Fargo Root CA"
-- Michael Shuler <email address hidden> Sun, 23 Feb 2014 23:22:29 -0600
-
ca-certificates (20130906) unstable; urgency=low
* Add ca-certificates-local source package example to documentation
* Update local certificate handling in README.Debian.
Closes: #718173, LP: #487845
* Update CA inclusion policy for ca-certificates in README.Debian. With
the exception of SPI and CAcert, only those CAs included in Mozilla's
trust store will be included in ca-certificates in Debian.
Closes: #647848, LP: #103074
* Clarify that not all software that uses SSL uses ca-certificates in
README.Debian. Closes: #664769
* Add mozilla/nssckbi.h to source, since certdata.txt no longer contains
a version number.
* Update debian/copyright to "Copyright: Mozilla Contributors" for
mozilla/{certdata.txt,nssckbi.h}.
* Update mozilla/certdata.txt to version 1.94
Certificates added (+) and removed (-):
+ "CA Disig Root R1"
+ "CA Disig Root R2"
+ "China Internet Network Information Center EV Certificates Root"
+ "D-TRUST Root Class 3 CA 2 2009"
+ "D-TRUST Root Class 3 CA 2 EV 2009"
+ "PSCProcert"
+ "Swisscom Root CA 2"
+ "Swisscom Root EV CA 2"
+ "TURKTRUST Certificate Services Provider Root 2007"
- "Equifax Secure eBusiness CA 2"
- "TC TrustCenter Universal CA III"
-- Michael Shuler <email address hidden> Fri, 06 Sep 2013 11:31:06 -0500
-
ca-certificates (20130610) unstable; urgency=low
[ Michael Shuler ]
* Install CAcert root and class3 certificates individually, no longer
installing the concatenation of the two. The individual certificates
are installed as cacert.org_root.crt and cacert.org_class3.crt for ease
of identification. Additionally, this allows openssl maintainers to drop
a problematic patch to c_rehash for handling multi-certificate files.
(see #642314) Closes: #692323
* Update Vcs-* fields for lintian vcs-field-not-canonical
* Update to machine-readable debian/copyright file v1.0
[ Thijs Kinkhorst ]
* Drop upgrading code for upgrades from Debian Etch and earlier.
* Remove obsolete debconf.org CA certificate. DebConf now uses an
intermediate certificate signed by SPI. (Closes: #693405)
* Remove obsolete SPI CA certiticate.
* Update Standards-Version: 3.9.4 (no changes needed)
* Clean up man page (LP#: 850997).
-- Thijs Kinkhorst <email address hidden> Mon, 10 Jun 2013 19:52:15 +0200
-
ca-certificates (20130119) unstable; urgency=low
* Update mozilla/certdata.txt to version 1.87 Closes: #697366
Certificates removed (-) (none added):
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
* Remove unneeded and confusing usage of interest-noawait; remove unneeded
Pre-Depends on dpkg. Thanks to Guillem Jover for the help and patch.
Closes: #537051
-- Michael Shuler <email address hidden> Sat, 19 Jan 2013 14:02:09 -0600
-
ca-certificates (20121114) unstable; urgency=low
[ Don Armstrong ]
* Breaks ca-certificates-java (<<20121112+nmu1); partially fixing #537051.
* Provide update-ca-certificates and update-ca-certificates-fresh
triggers.
* Call the triggers using no-await so that the configuration files from
the newer version of ca-certificates-java are in places before the
upgrade. Closes: #537051.
[ Michael Shuler ]
* Add note to previous mozilla/certdata.txt changelog entry to document
CKT_NSS_MUST_VERIFY_TRUST changes.
-- Michael Shuler <email address hidden> Wed, 14 Nov 2012 23:58:59 -0600
-
ca-certificates (20121105) unstable; urgency=low
* Update mozilla/certdata.txt to version 1.86 Closes: #683728
Certificates added (+) (none removed):
+ "Actalis Authentication Root CA"
+ "Trustis FPS Root CA"
+ "StartCom Certification Authority" (renewal/rehash)
+ "StartCom Certification Authority G2"
+ "Buypass Class 2 Root CA"
+ "Buypass Class 3 Root CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
+ "T-TeleSec GlobalRoot Class 3"
+ "EE Certification Centre Root CA"
* Correct piuparts package remove/purge behavior Closes: #682125
- Remove deletes of /etc/ssl{,/certs} from debian/postrm
-- Michael Shuler <email address hidden> Mon, 05 Nov 2012 10:56:05 -0600
-
ca-certificates (20120623) unstable; urgency=low
* Add Polish translation, thanks to Michał Kułach. Closes: #660002
* Add Turkish translation, thanks to Atila KOÇ. Closes: #661785
* Correct update-ca-certificates(8) alignment Closes: #666932
* Add note to update-ca-certificates(8) about .crt extension needed for
CA certificates in /usr/local/share/ca-certificates Closes: #595279
* Update mozilla/certdata.txt to version 1.83
Mozilla Public License updated to v2.0
(no added/removed CAs)
* Update debian/copyright to:
- reflect MPL v2.0 update for mozilla/certdata.txt
- specify GPL-2 instead of GPL symlink
* Update debian/NEWS with added/removed certs from 20111211 and 20120212
* Update to Standards-Version: 3.9.3 (no changes needed)
-- Michael Shuler <email address hidden> Sat, 23 Jun 2012 09:16:54 -0500
-
ca-certificates (20120212) unstable; urgency=low
* Update mozilla/certdata.txt to version 1.81
Certificates added (+) and removed (-):
+ "Security Communication RootCA2"
+ "EC-ACC"
+ "Hellenic Academic and Research Institutions RootCA 2011"
- "Verisign Class 2 Public Primary Certification Authority"
- "Verisign Class 4 Public Primary Certification Authority - G2"
- "TC TrustCenter, Germany, Class 2 CA"
- "TC TrustCenter, Germany, Class 3 CA"
* Add notice to README.Debian deprecating CA inclusions and refer to
#647848 for Debian CA Certificate Policy discussion.
-- Michael Shuler <email address hidden> Sun, 12 Feb 2012 15:12:59 -0600
-
ca-certificates (20111211) unstable; urgency=low
* Clarify CA audit note in package description and README.debian. Thanks
to C.J. Adams-Collier for the patch. Closes: #594383
* Remove French Government IGC/A CA certificates. The RSA certificate is
included in the Mozilla bundle and the DSA certificate is not in use.
Closes: #646767
* Remove expired signet.pl CAs. Closes: #647849
* Remove expired brasil.gov.br CA.
* Edit 20111025 changelog/NEWS entries to correctly list installed CAs
* Use 'set -e' in body of debian/postinst
* Update mozilla/certdata.txt to version 1.80
(no added/removed CAs)
* Update mozilla/certdata2pem.py to parse NETSCAPE or NSS data
-- Michael Shuler <email address hidden> Sun, 11 Dec 2011 19:05:32 -0600
-
ca-certificates (20111025) unstable; urgency=low
[ Michael Shuler ]
* Add 3.0 (native) source format
* Add Vcs-Git/Browser fields
* Add myself as new Maintainer with Uploaders Closes: #588219
* Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
Certificates added (+) and removed (-):
+ "AffirmTrust Commercial"
+ "AffirmTrust Networking"
+ "AffirmTrust Premium"
+ "AffirmTrust Premium ECC"
+ "A-Trust-nQual-03"
+ "Bogus Global Trustee"
+ "Bogus GMail"
+ "Bogus Google"
+ "Bogus kuix.de"
+ "Bogus live.com"
+ "Bogus Mozilla Addons"
+ "Bogus Skype"
+ "Bogus Yahoo 1"
+ "Bogus Yahoo 2"
+ "Bogus Yahoo 3"
+ "Certinomis - Autorité Racine"
+ "Certum Trusted Network CA"
+ "Explicitly Distrust DigiNotar Cyber CA"
+ "Explicitly Distrust DigiNotar Cyber CA 2nd"
+ "Explicitly Distrust DigiNotar Root CA"
+ "Explicitly Distrust DigiNotar Services 1024 CA"
+ "Explicitly Distrusted DigiNotar PKIoverheid"
+ "Explicitly Distrusted DigiNotar PKIoverheid G2"
+ "Go Daddy Root Certificate Authority - G2"
+ "Root CA Generalitat Valenciana"
+ "Starfield Root Certificate Authority - G2"
+ "Starfield Services Root Certificate Authority - G2"
+ "TWCA Root Certification Authority"
- "AOL Time Warner Root Certification Authority 1"
- "AOL Time Warner Root Certification Authority 2"
- "DigiNotar Root CA"
- "Entrust.net Global Secure Personal CA"
- "Entrust.net Global Secure Server CA"
- "Entrust.net Secure Personal CA"
- "IPS Chained CAs root"
- "IPS CLASE1 root"
- "IPS CLASE3 root"
- "IPS CLASEA1 root"
- "IPS CLASEA3 root"
- "IPS Timestamping root"
- "Thawte Personal Freemail CA"
- "Thawte Time Stamping CA"
* "Bogus *" CAs above address Comodo MITM 03/11 Closes: #619587
* Update CAcert-Class 3-Subroot-certificate Closes: #630232
[ Steve Langasek ]
* sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
the way before calling c_rehash, so that symlinks don't accidentally get
pointed here, breaking openssl certificate verification LP: #854927
[ Loïc Minier ]
* Drop bogus c_rehash on upgrades, which caused issue when
ca-certificates.crt was still in place; instead, call
update-ca-certificates --fresh on upgrades to this version, and
the usual update-ca-certificates otherwise Closes: #643667, #537382
-- Michael Shuler <email address hidden> Tue, 25 Oct 2011 09:12:10 -0500
-
ca-certificates (20111022) unstable; urgency=low
* QA upload.
* Fix pending l10n issues. Debconf translations:
- German (Helge Kreutzmann). Closes: #634000
- French (Christian Perrier). Closes: #634092
- Russian (Yuri Kozlov). Closes: #635146
- Swedish (Martin Bagge / brother). Closes: #640622
- Slovak (Slavko). Closes: #641987
- Spanish; (Javier Fernández-Sanguino). Closes: #642359
- Japanese (Kenshi Muto). Closes: #644828
- Czech (Miroslav Kure). Closes: #644843
- Danish (Joe Hansen). Closes: #644854
- Italian (Luca Monducci). Closes: #645004
- Dutch; (Jeroen Schot). Closes: #645090
- Portuguese (Miguel Figueiredo). Closes: #645126
- Galician (Jorge Barreiro). Closes: #645138
- Catalan; (Jordi Mallach). Closes: #645182
- Brazilian Portuguese (Adriano Rafael Gomes). Closes: #645526
* Split Choices in debconf templates
* Add build-arch and build-indep build targets
* Bump debhelper compatibility level to 8
* Bump Standards to 3.9.2 (checked)
* Replace "dh_clean -k" by dh_prep
-- Christian Perrier <email address hidden> Sat, 22 Oct 2011 14:24:00 +0200
-
ca-certificates (20110502+nmu1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Blacklist "DigiNotar Root CA" (Closes: #639744)
-- Raphael Geissert <email address hidden> Tue, 30 Aug 2011 21:00:55 -0500
-
ca-certificates (20110502) unstable; urgency=low
* QA upload. * Mark the package as multi-arch:foreign. (Closes: #622323) * Use db_settitle in config script to allow translations of the dialog title; thanks to Frans Pop. (Closes: #560314) -- Philipp Kern <email address hidden> Mon, 02 May 2011 19:27:50 +0200
-
ca-certificates (20110421) unstable; urgency=low
* QA upload. * Package is orphaned, set maintainer to QA group * Depend on openssl 1.0.0 and force a call of c_rehash so that we have both the old and new style of symlinks. (Closes: #611102) * Remove libssl0.9.8 from enhances * Update mozilla certdata.txt file to the latest version. Removed: - ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt - beTRUSTed_Root_CA-Baltimore_Implementation.crt - beTRUSTed_Root_CA.crt - beTRUSTed_Root_CA_-_Entrust_Implementation.crt - beTRUSTed_Root_CA_-_RSA_Implementation.crt - Digital_Signature_Trust_Co._Global_CA_2.crt - Digital_Signature_Trust_Co._Global_CA_4.crt - Entrust.net_Global_Secure_Personal_CA.crt - Entrust.net_Global_Secure_Server_CA.crt - Entrust.net_Secure_Personal_CA.crt - GTE_CyberTrust_Root_CA.crt - IPS_Chained_CAs_root.crt - IPS_CLASE1_root.crt - IPS_CLASE3_root.crt - IPS_CLASEA1_root.crt - IPS_CLASEA3_root.crt - IPS_Servidores_root.crt - IPS_Timestamping_root.crt - RSA_Security_1024_v3.crt - StartCom_Ltd..crt - Thawte_Personal_Basic_CA.crt - Thawte_Personal_Premium_CA.crt - UTN-USER_First-Network_Applications.crt - Verisign_RSA_Secure_Server_CA.crt - Verisign_Time_Stamping_Authority_CA.crt - Visa_International_Global_Root_2.crt Added: - ACEDICOM_Root.crt - AC_Raíz_Certicámara_S.A..crt - ApplicationCA_-_Japanese_Government.crt - Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt - Buypass_Class_2_CA_1.crt - Buypass_Class_3_CA_1.crt - CA_Disig.crt - Certigna.crt - certSIGN_ROOT_CA.crt - Chambers_of_Commerce_Root_-_2008.crt - CNNIC_ROOT.crt - ComSign_CA.crt - ComSign_Secured_CA.crt - Cybertrust_Global_Root.crt - Deutsche_Telekom_Root_CA_2.crt - EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt - E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt - ePKI_Root_Certification_Authority.crt - GeoTrust_Primary_Certification_Authority_-_G2.crt - GeoTrust_Primary_Certification_Authority_-_G3.crt - Global_Chambersign_Root_-_2008.crt - GlobalSign_Root_CA_-_R3.crt - Hongkong_Post_Root_CA_1.crt - IGC_A.crt - Izenpe.com.crt - Juur-SK.crt - Microsec_e-Szigno_Root_CA_2009.crt - Microsec_e-Szigno_Root_CA.crt - NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt - OISTE_WISeKey_Global_Root_GA_CA.crt - SecureSign_RootCA11.crt - Security_Communication_EV_RootCA1.crt - Staat_der_Nederlanden_Root_CA_-_G2.crt - S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt - TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt - TC_TrustCenter_Class_2_CA_II.crt - TC_TrustCenter_Class_3_CA_II.crt - TC_TrustCenter_Universal_CA_I.crt - TC_TrustCenter_Universal_CA_III.crt - thawte_Primary_Root_CA_-_G2.crt - thawte_Primary_Root_CA_-_G3.crt - VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt - VeriSign_Universal_Root_Certification_Authority.crt Changed: - Verisign_Class_1_Public_Primary_Certification_Authority.crt - Verisign_Class_3_Public_Primary_Certification_Authority.crt * Remove telesec.de/deutsche-telekom-root-ca-2.crt, now in mozilla. * String decode the mozilla certdata.txt so the filenames show up as proper UTF-8 strings. -- Kurt Roeckx <email address hidden> Thu, 21 Apr 2011 18:56:08 +0200
-
ca-certificates (20090814+nmu3) unstable; urgency=low
* Non-maintainer upload. * Fix pending l10n issues. Debconf translations: - French (Christian Perrier). Closes: #594231 - Danish (Joe Hansen). Closes: #601129 - Catalan (Jordi Mallach). Closes: #601089 - Brazilian Portuguese (Adriano Rafael Gomes). Closes: #618633 -- Christian Perrier <email address hidden> Sat, 19 Mar 2011 07:47:00 +0100
-
ca-certificates (20090814+nmu2) unstable; urgency=low
* Non-maintainer upload.
* Fixes buggy shell functions included in the postinst script.
(Closes: #591607)
-- Maximiliano Curia <email address hidden> Fri, 13 Aug 2010 20:16:21 -0300
-
ca-certificates (20090814+nmu1) unstable; urgency=low
* Non-maintainer upload.
* Preserve user changes to the /etc/ca-certificates.conf.
(Closes: #514220)
-- Maximiliano Curia <email address hidden> Fri, 30 Jul 2010 12:55:28 -0400
-
ca-certificates (20090814) unstable; urgency=low
* Call Debconf and its db_purge as early as possible in postrm.
(Closes: #541275)
-- Philipp Kern <email address hidden> Fri, 14 Aug 2009 11:10:00 +0200
-
ca-certificates (20090709) unstable; urgency=low
* Fix purge by checking for `/etc/ssl/certs' first. (Closes: #536331)
-- Philipp Kern <email address hidden> Thu, 09 Jul 2009 10:35:39 +0200
-
ca-certificates (20081127) unstable; urgency=low
* Remove /etc/ssl{,/certs} in postrm to please piuparts. (Closes:
#454334)
-- Philipp Kern <email address hidden> Thu, 27 Nov 2008 19:13:17 +0100
-
ca-certificates (20080809) unstable; urgency=low
* New cacert.org.pem joining both CACert Class 1 and Class 3 certificates.
This file can be used for proper certificate chaining if CACert
server certificates are used. The old class3.pem and root.pem
certificates are deprecated. This new file could safely serve as
a replacement for both. (Closes: #494343)
* This also reintroduces the old name for the CACert certificate,
thus closing a long-standing bug about its rename to root.crt.
(Closes: #413766)
-- Philipp Kern <email address hidden> Sat, 09 Aug 2008 14:58:24 -0300