Home

Awesome

Certification Authority Trust Tracker

What is CATT?

CATT (Certification Authority Trust Tracker) is a collection of scripts and data to track which certification authorities are trusted by various root CA programs.

Publishing Trusted Root Certificates

The CATT project urge root certificate program managers to publish the following information:

We strongly recommend that the data above is published at a stable long-term URL, in order to be able to fetch the data automatically.

Trust Sources

Apple

Root certificates extracted using extract-osx-trust.sh and and split into files using split-bundle.pl. EV OIDs extracted using extract-osx-ev-pl.

Apple publish a list of trusted root certificates for iOS, but as this list does not include full certificate data (including public keys) it cannot be used by CATT.

Mozilla

Root certificates fetched using mk-ca-bundle.pl and split into files using split-bundle.pl. EV OIDs extracted using extract-mozilla-ev.py.

More information:

Microsoft

Root certificate metadata is fetched using fetch-microsoft-authroot.sh, producing a JSON file called authroot.json. Actual root certificates fetched using the contents of the JSON file by fetch-microsoft-certs.sh. EV OIDs are not yet extracted.

A ancient snapshot of trusted root certificates can also be found in xfiles/microsoft-2012-12.xlsx.

Oracle Java SE

Root certificates extracted from the Java keystore using extract-java-trust.pl.