Trust in a Root CA

Certification Authority or CA is a group which issues a digital certificate. In the relationship between parties, a CA is a trusted third-party. Those CA issues root certificate, a self-signed public key certificate that identifies the CA. They acts as a trust anchor for a digital certificate, therefore they need to be both secured and trustworthy. But in some cases, the CA accidently or intentionally violate the key’s security.

A trusted root certificate is included directly in a user’s operating system or browsers. Windows user can run certmgr.msc to see their certificates list, Mac users can find a list here and Linux users can see /etc/ssl/certs. Mozilla users can also find their browser’s seperate list under Preferences > Advanced > Certificates > View Certificates. While Android user can find their list under Settings > Security > Trusted credentials.

For Let’s Encrypt certificates, the root certificate is ISRG Root X1, cross-signed with DST Root CA X3. New CA would sometimes cross-signed their key with another trusted CA while waiting for their root certificates to be included in operating systems and browsers.

Untrusted Root Certification Authority

Below are some list of the Root Certificate which I have untrusted from my devices:

Name Reason
WoSign ECC Mis-issuance,
multiple BR violations
WoSign China
WoSign G2
StartCom CA
StartCom CA G2
CNNIC Root Mis-issuance,
leading to MiTM attacks
PSCProcert Multiple BR violation,
lack of response

Instruction to untrust a CA can be found in this blog article by CertSimple.

Under Watchlist Root Certification Authority

There are also other root certificates that I put in my own “watch list”, these CA was given a second chance as they quickly recognize and amend their mistakes.

Name Reason
Symantec Old PKI Mis-issuance,
multiple BR violations

Entries in this “watch list” will be removed one year (365 days) after the last incident, considering there are no further incidents.

Side-effects of Untrusting Root CA

  • Some applications won’t run or install as they are signed using a key which have the untrusted root certificate.
  • Some websites won’t open as they are secured using the untrusted certificate.