git: b76aaa35423e - releng/13.0 - Root certificate bundle update.

From: Gordon Tetlow <gordon_at_FreeBSD.org>
Date: Wed, 03 Nov 2021 20:54:18 UTC
The branch releng/13.0 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=b76aaa35423e7a0f47029d9526149505828568c8

commit b76aaa35423e7a0f47029d9526149505828568c8
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2021-11-03 20:30:05 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2021-11-03 20:37:26 +0000

    Root certificate bundle update.
    
    Approved by:    so
    Security:       EN-21:27.caroot
---
 secure/caroot/MAca-bundle.pl                       |  55 ++++++--
 .../Camerfirma_Chambers_of_Commerce_Root.pem       |   0
 .../Camerfirma_Global_Chambersign_Root.pem         |   0
 .../{trusted => blacklisted}/Certum_Root_CA.pem    |   0
 .../Chambers_of_Commerce_Root_-_2008.pem           |   0
 .../D-TRUST_Root_CA_3_2013.pem                     |   0
 secure/caroot/{trusted => blacklisted}/EC-ACC.pem  |   0
 ...oTrust_Primary_Certification_Authority_-_G2.pem |   0
 .../Global_Chambersign_Root_-_2008.pem             |   0
 .../OISTE_WISeKey_Global_Root_GA_CA.pem            |   0
 .../{trusted => blacklisted}/QuoVadis_Root_CA.pem  |   2 +
 .../Sonera_Class_2_Root_CA.pem                     |   2 +
 .../Staat_der_Nederlanden_Root_CA_-_G3.pem         |   0
 .../SwissSign_Platinum_CA_-_G2.pem                 |   0
 ...Public_Primary_Certification_Authority_-_G6.pem |   0
 ...Public_Primary_Certification_Authority_-_G6.pem |   0
 .../Trustis_FPS_Root_CA.pem                        |   0
 ...Sign_Universal_Root_Certification_Authority.pem |   0
 ...Public_Primary_Certification_Authority_-_G3.pem |   0
 ...Public_Primary_Certification_Authority_-_G3.pem |   0
 secure/caroot/trusted/ACCVRAIZ1.pem                |   2 +
 secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem         |   2 +
 .../AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem        |  69 ++++++++++
 .../caroot/trusted/ANF_Secure_Server_Root_CA.pem   | 139 +++++++++++++++++++++
 .../trusted/Actalis_Authentication_Root_CA.pem     |   2 +
 secure/caroot/trusted/AffirmTrust_Commercial.pem   |   2 +
 secure/caroot/trusted/AffirmTrust_Networking.pem   |   2 +
 secure/caroot/trusted/AffirmTrust_Premium.pem      |   2 +
 secure/caroot/trusted/AffirmTrust_Premium_ECC.pem  |   2 +
 secure/caroot/trusted/Amazon_Root_CA_1.pem         |   2 +
 secure/caroot/trusted/Amazon_Root_CA_2.pem         |   2 +
 secure/caroot/trusted/Amazon_Root_CA_3.pem         |   2 +
 secure/caroot/trusted/Amazon_Root_CA_4.pem         |   2 +
 secure/caroot/trusted/Atos_TrustedRoot_2011.pem    |   2 +
 ...ertificacion_Firmaprofesional_CIF_A62634068.pem |   2 +
 .../caroot/trusted/Baltimore_CyberTrust_Root.pem   |   2 +
 secure/caroot/trusted/Buypass_Class_2_Root_CA.pem  |   2 +
 secure/caroot/trusted/Buypass_Class_3_Root_CA.pem  |   2 +
 secure/caroot/trusted/CA_Disig_Root_R2.pem         |   2 +
 secure/caroot/trusted/CFCA_EV_ROOT.pem             |   2 +
 .../trusted/COMODO_Certification_Authority.pem     |   2 +
 .../trusted/COMODO_ECC_Certification_Authority.pem |   2 +
 .../trusted/COMODO_RSA_Certification_Authority.pem |   2 +
 secure/caroot/trusted/Certigna.pem                 |   2 +
 secure/caroot/trusted/Certigna_Root_CA.pem         |   2 +
 secure/caroot/trusted/Certum_EC-384_CA.pem         |  68 ++++++++++
 .../caroot/trusted/Certum_Trusted_Network_CA.pem   |   2 +
 .../caroot/trusted/Certum_Trusted_Network_CA_2.pem |   2 +
 secure/caroot/trusted/Certum_Trusted_Root_CA.pem   | 136 ++++++++++++++++++++
 secure/caroot/trusted/Comodo_AAA_Services_root.pem |   2 +
 secure/caroot/trusted/Cybertrust_Global_Root.pem   |   2 +
 .../trusted/D-TRUST_Root_Class_3_CA_2_2009.pem     |   2 +
 .../trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem  |   2 +
 secure/caroot/trusted/DST_Root_CA_X3.pem           |   2 +
 .../caroot/trusted/DigiCert_Assured_ID_Root_CA.pem |   2 +
 .../caroot/trusted/DigiCert_Assured_ID_Root_G2.pem |   2 +
 .../caroot/trusted/DigiCert_Assured_ID_Root_G3.pem |   2 +
 secure/caroot/trusted/DigiCert_Global_Root_CA.pem  |   2 +
 secure/caroot/trusted/DigiCert_Global_Root_G2.pem  |   2 +
 secure/caroot/trusted/DigiCert_Global_Root_G3.pem  |   2 +
 .../trusted/DigiCert_High_Assurance_EV_Root_CA.pem |   2 +
 secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem |   2 +
 .../trusted/E-Tugra_Certification_Authority.pem    |   2 +
 .../Entrust_Root_Certification_Authority.pem       |   2 +
 .../Entrust_Root_Certification_Authority_-_EC1.pem |   2 +
 .../Entrust_Root_Certification_Authority_-_G2.pem  |   2 +
 .../Entrust_Root_Certification_Authority_-_G4.pem  |   2 +
 .../Entrust_net_Premium_2048_Secure_Server_CA.pem  |   2 +
 secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem   |   2 +
 secure/caroot/trusted/GLOBALTRUST_2020.pem         | 138 ++++++++++++++++++++
 secure/caroot/trusted/GTS_Root_R1.pem              |   2 +
 secure/caroot/trusted/GTS_Root_R2.pem              |   2 +
 secure/caroot/trusted/GTS_Root_R3.pem              |   2 +
 secure/caroot/trusted/GTS_Root_R4.pem              |   2 +
 .../caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem |   2 +
 .../caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA.pem       |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem  |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem  |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem  |   2 +
 secure/caroot/trusted/GlobalSign_Root_E46.pem      |  66 ++++++++++
 secure/caroot/trusted/GlobalSign_Root_R46.pem      | 134 ++++++++++++++++++++
 secure/caroot/trusted/Go_Daddy_Class_2_CA.pem      |   2 +
 .../Go_Daddy_Root_Certificate_Authority_-_G2.pem   |   2 +
 ...c_and_Research_Institutions_ECC_RootCA_2015.pem |   2 +
 ...demic_and_Research_Institutions_RootCA_2011.pem |   2 +
 ...demic_and_Research_Institutions_RootCA_2015.pem |   2 +
 secure/caroot/trusted/Hongkong_Post_Root_CA_1.pem  |   2 +
 secure/caroot/trusted/Hongkong_Post_Root_CA_3.pem  |   2 +
 secure/caroot/trusted/ISRG_Root_X1.pem             |   2 +
 .../trusted/IdenTrust_Commercial_Root_CA_1.pem     |   2 +
 .../trusted/IdenTrust_Public_Sector_Root_CA_1.pem  |   2 +
 secure/caroot/trusted/Izenpe_com.pem               |   2 +
 .../trusted/Microsec_e-Szigno_Root_CA_2009.pem     |   2 +
 ...crosoft_ECC_Root_Certificate_Authority_2017.pem |   2 +
 ...crosoft_RSA_Root_Certificate_Authority_2017.pem |   2 +
 .../NAVER_Global_Root_Certification_Authority.pem  |   2 +
 ...etLock_Arany__Class_Gold__F__tan__s__tv__ny.pem |   2 +
 .../Network_Solutions_Certificate_Authority.pem    |   2 +
 .../trusted/OISTE_WISeKey_Global_Root_GB_CA.pem    |   2 +
 .../trusted/OISTE_WISeKey_Global_Root_GC_CA.pem    |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_1_G3.pem    |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_2.pem       |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_2_G3.pem    |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_3.pem       |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_3_G3.pem    |   2 +
 ...SSL_com_EV_Root_Certification_Authority_ECC.pem |   2 +
 ..._com_EV_Root_Certification_Authority_RSA_R2.pem |   2 +
 .../SSL_com_Root_Certification_Authority_ECC.pem   |   2 +
 .../SSL_com_Root_Certification_Authority_RSA.pem   |   2 +
 secure/caroot/trusted/SZAFIR_ROOT_CA2.pem          |   2 +
 secure/caroot/trusted/SecureSign_RootCA11.pem      |   2 +
 secure/caroot/trusted/SecureTrust_CA.pem           |   2 +
 secure/caroot/trusted/Secure_Global_CA.pem         |   2 +
 .../trusted/Security_Communication_RootCA2.pem     |   2 +
 .../trusted/Security_Communication_Root_CA.pem     |   2 +
 .../trusted/Staat_der_Nederlanden_EV_Root_CA.pem   |   2 +
 secure/caroot/trusted/Starfield_Class_2_CA.pem     |   2 +
 .../Starfield_Root_Certificate_Authority_-_G2.pem  |   2 +
 ...ld_Services_Root_Certificate_Authority_-_G2.pem |   2 +
 secure/caroot/trusted/SwissSign_Gold_CA_-_G2.pem   |   2 +
 secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem |   2 +
 .../trusted/T-TeleSec_GlobalRoot_Class_2.pem       |   2 +
 .../trusted/T-TeleSec_GlobalRoot_Class_3.pem       |   2 +
 ...BITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem |   2 +
 secure/caroot/trusted/TWCA_Global_Root_CA.pem      |   2 +
 .../trusted/TWCA_Root_Certification_Authority.pem  |   2 +
 secure/caroot/trusted/TeliaSonera_Root_CA_v1.pem   |   2 +
 secure/caroot/trusted/TrustCor_ECA-1.pem           |   2 +
 secure/caroot/trusted/TrustCor_RootCert_CA-1.pem   |   2 +
 secure/caroot/trusted/TrustCor_RootCert_CA-2.pem   |   2 +
 .../Trustwave_Global_Certification_Authority.pem   |   2 +
 ...ave_Global_ECC_P256_Certification_Authority.pem |   2 +
 ...ave_Global_ECC_P384_Certification_Authority.pem |   2 +
 .../trusted/UCA_Extended_Validation_Root.pem       |   2 +
 secure/caroot/trusted/UCA_Global_G2_Root.pem       |   2 +
 .../USERTrust_ECC_Certification_Authority.pem      |   2 +
 .../USERTrust_RSA_Certification_Authority.pem      |   2 +
 secure/caroot/trusted/XRamp_Global_CA_Root.pem     |   2 +
 secure/caroot/trusted/certSIGN_ROOT_CA.pem         |   2 +
 secure/caroot/trusted/certSIGN_Root_CA_G2.pem      |   2 +
 secure/caroot/trusted/e-Szigno_Root_CA_2017.pem    |   2 +
 .../trusted/ePKI_Root_Certification_Authority.pem  |   2 +
 secure/caroot/trusted/emSign_ECC_Root_CA_-_C3.pem  |   2 +
 secure/caroot/trusted/emSign_ECC_Root_CA_-_G3.pem  |   2 +
 secure/caroot/trusted/emSign_Root_CA_-_C1.pem      |   2 +
 secure/caroot/trusted/emSign_Root_CA_-_G1.pem      |   2 +
 147 files changed, 1037 insertions(+), 12 deletions(-)

diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl
index bfac77c73941..8521b620337f 100755
--- a/secure/caroot/MAca-bundle.pl
+++ b/secure/caroot/MAca-bundle.pl
@@ -76,6 +76,8 @@ sub print_header($$)
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $VERSION
 ##
@@ -91,6 +93,8 @@ EOFH
 ##  Authorities (CA). These were automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt').
 ##
+##  It contains certificates trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $VERSION
 ##
@@ -100,6 +104,13 @@ EOH
     }
 }
 
+# returns a string like YYMMDDhhmmssZ of current time in GMT zone
+sub timenow()
+{
+	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
+	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
+}
+
 sub printcert($$$)
 {
     my ($fh, $label, $certdata) = @_;
@@ -110,6 +121,8 @@ sub printcert($$$)
     close(OUT) or die "openssl x509 failed with exit code $?";
 }
 
+# converts a datastream that is to be \177-style octal constants
+# from <> to a (binary) string and returns it
 sub graboct($)
 {
     my $ifh = shift;
@@ -125,13 +138,13 @@ sub graboct($)
     return $data;
 }
 
-
 sub grabcert($)
 {
     my $ifh = shift;
     my $certdata;
-    my $cka_label;
-    my $serial;
+    my $cka_label = '';
+    my $serial = 0;
+    my $distrust = 0;
 
     while (<$ifh>) {
 	chomp;
@@ -148,6 +161,19 @@ sub grabcert($)
 	if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
 	    $serial = graboct($ifh);
 	}
+
+	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
+	{
+	    my $distrust_after = graboct($ifh);
+	    my $time_now = timenow();
+	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    if ($debug) {
+		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	    }
+	    if ($distrust) {
+		return undef;
+	    }
+	}
     }
     return ($serial, $cka_label, $certdata);
 }
@@ -171,13 +197,13 @@ sub grabtrust($) {
 	    $serial = graboct($ifh);
 	}
 
-	if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
+	if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/)
 	{
-	    if ($2 eq      'CKT_NSS_NOT_TRUSTED') {
+	    if ($1 eq      'CKT_NSS_NOT_TRUSTED') {
 		$distrust = 1;
-	    } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
+	    } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
 		$maytrust = 1;
-	    } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
+	    } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
 		confess "Unknown trust setting on line $.:\n"
 		. "$_\n"
 		. "Script must be updated:";
@@ -197,16 +223,22 @@ if (!$outputdir) {
 	print_header(*STDOUT, "");
 }
 
+my $untrusted = 0;
+
 while (<$inputfh>) {
     if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
 	my ($serial, $label, $certdata) = grabcert($inputfh);
 	if (defined $certs{$label."\0".$serial}) {
 	    warn "Certificate $label duplicated!\n";
 	}
-	$certs{$label."\0".$serial} = $certdata;
-	# We store the label in a separate hash because truncating the key
-	# with \0 was causing garbage data after the end of the text.
-	$labels{$label."\0".$serial} = $label;
+	if (defined $certdata) {
+		$certs{$label."\0".$serial} = $certdata;
+		# We store the label in a separate hash because truncating the key
+		# with \0 was causing garbage data after the end of the text.
+		$labels{$label."\0".$serial} = $label;
+	} else { # $certdata undefined? distrust_after in effect
+		$untrusted ++;
+	}
     } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
 	my ($serial, $label, $trust) = grabtrust($inputfh);
 	if (defined $trusts{$label."\0".$serial}) {
@@ -226,7 +258,6 @@ sub label_to_filename(@) {
 }
 
 # weed out untrusted certificates
-my $untrusted = 0;
 foreach my $it (keys %trusts) {
     if (!$trusts{$it}) {
 	if (!exists($certs{$it})) {
diff --git a/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
similarity index 100%
rename from secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem
rename to secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
diff --git a/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
similarity index 100%
rename from secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem
rename to secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
diff --git a/secure/caroot/trusted/Certum_Root_CA.pem b/secure/caroot/blacklisted/Certum_Root_CA.pem
similarity index 100%
rename from secure/caroot/trusted/Certum_Root_CA.pem
rename to secure/caroot/blacklisted/Certum_Root_CA.pem
diff --git a/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
similarity index 100%
rename from secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem
rename to secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
diff --git a/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
similarity index 100%
rename from secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem
rename to secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
diff --git a/secure/caroot/trusted/EC-ACC.pem b/secure/caroot/blacklisted/EC-ACC.pem
similarity index 100%
rename from secure/caroot/trusted/EC-ACC.pem
rename to secure/caroot/blacklisted/EC-ACC.pem
diff --git a/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
similarity index 100%
rename from secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
rename to secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
diff --git a/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
similarity index 100%
rename from secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem
rename to secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
diff --git a/secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
similarity index 100%
rename from secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem
rename to secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
diff --git a/secure/caroot/trusted/QuoVadis_Root_CA.pem b/secure/caroot/blacklisted/QuoVadis_Root_CA.pem
similarity index 98%
rename from secure/caroot/trusted/QuoVadis_Root_CA.pem
rename to secure/caroot/blacklisted/QuoVadis_Root_CA.pem
index 3619cd0cbd03..25e6300f5231 100644
--- a/secure/caroot/trusted/QuoVadis_Root_CA.pem
+++ b/secure/caroot/blacklisted/QuoVadis_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Sonera_Class_2_Root_CA.pem b/secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
similarity index 98%
rename from secure/caroot/trusted/Sonera_Class_2_Root_CA.pem
rename to secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
index 7b38ef463d6a..b23c237e319f 100644
--- a/secure/caroot/trusted/Sonera_Class_2_Root_CA.pem
+++ b/secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
similarity index 100%
rename from secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
rename to secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
diff --git a/secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
similarity index 100%
rename from secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem
rename to secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
diff --git a/secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
similarity index 100%
rename from secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
similarity index 100%
rename from secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/trusted/Trustis_FPS_Root_CA.pem b/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
similarity index 100%
rename from secure/caroot/trusted/Trustis_FPS_Root_CA.pem
rename to secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
diff --git a/secure/caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
similarity index 100%
rename from secure/caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem
rename to secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
diff --git a/secure/caroot/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/trusted/ACCVRAIZ1.pem b/secure/caroot/trusted/ACCVRAIZ1.pem
index 0c7c7c41b57d..1c96e53b8f17 100644
--- a/secure/caroot/trusted/ACCVRAIZ1.pem
+++ b/secure/caroot/trusted/ACCVRAIZ1.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
index 579f50d8d730..6a64be5ce138 100644
--- a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
+++ b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
new file mode 100644
index 000000000000..71ee49574e84
--- /dev/null
+++ b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
@@ -0,0 +1,69 @@
+##
+##  AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  It contains a certificate trusted for server authentication.
+##
+##  Extracted from nss
+##  with $FreeBSD$
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            62:f6:32:6c:e5:c4:e3:68:5c:1b:62:dd:9c:2e:9d:95
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+        Validity
+            Not Before: Dec 20 09:37:33 2018 GMT
+            Not After : Dec 20 09:37:33 2043 GMT
+        Subject: C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:f6:ba:57:53:c8:ca:ab:df:36:4a:52:21:e4:97:
+                    d2:83:67:9e:f0:65:51:d0:5e:87:c7:47:b1:59:f2:
+                    57:47:9b:00:02:93:44:17:69:db:42:c7:b1:b2:3a:
+                    18:0e:b4:5d:8c:b3:66:5d:a1:34:f9:36:2c:49:db:
+                    f3:46:fc:b3:44:69:44:13:66:fd:d7:c5:fd:af:36:
+                    4d:ce:03:4d:07:71:cf:af:6a:05:d2:a2:43:5a:0a:
+                    52:6f:01:03:4e:8e:8b
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                01:B9:2F:EF:BF:11:86:60:F2:4F:D0:41:6E:AB:73:1F:E7:D2:6E:49
+    Signature Algorithm: ecdsa-with-SHA384
+         30:66:02:31:00:ae:4a:e3:2b:40:c3:74:11:f2:95:ad:16:23:
+         de:4e:0c:1a:e6:5d:a5:24:5e:6b:44:7b:fc:38:e2:4f:cb:9c:
+         45:17:11:4c:14:27:26:55:39:75:4a:03:cc:13:90:9f:92:02:
+         31:00:fa:4a:6c:60:88:73:f3:ee:b8:98:62:a9:ce:2b:c2:d9:
+         8a:a6:70:31:1d:af:b0:94:4c:eb:4f:c6:e3:d1:f3:62:a7:3c:
+         ff:93:2e:07:5c:49:01:67:69:12:02:72:bf:e7
+SHA1 Fingerprint=62:FF:D9:9E:C0:65:0D:03:CE:75:93:D2:ED:3F:2D:32:C9:E3:E5:4A
+-----BEGIN CERTIFICATE-----
+MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw
+CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw
+FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S
+Q00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5
+MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL
+DAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS
+QUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH
+sbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK
+Um8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
+VR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu
+SuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC
+MQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy
+v+c=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem b/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem
new file mode 100644
index 000000000000..6114a5ccdb2d
--- /dev/null
+++ b/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem
@@ -0,0 +1,139 @@
+##
+##  ANF Secure Server Root CA
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  It contains a certificate trusted for server authentication.
+##
+##  Extracted from nss
+##  with $FreeBSD$
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 996390341000653745 (0xdd3e3bc6cf96bb1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA
+        Validity
+            Not Before: Sep  4 10:00:38 2019 GMT
+            Not After : Aug 30 10:00:38 2039 GMT
+        Subject: serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:db:eb:6b:2b:e6:64:54:95:82:90:a3:72:a4:19:
+                    01:9d:9c:0b:81:5f:73:49:ba:a7:ac:f3:04:4e:7b:
+                    96:0b:ec:11:e0:5b:a6:1c:ce:1b:d2:0d:83:1c:2b:
+                    b8:9e:1d:7e:45:32:60:0f:07:e9:77:58:7e:9f:6a:
+                    c8:61:4e:b6:26:c1:4c:8d:ff:4c:ef:34:b2:1f:65:
+                    d8:b9:78:f5:ad:a9:71:b9:ef:4f:58:1d:a5:de:74:
+                    20:97:a1:ed:68:4c:de:92:17:4b:bc:ab:ff:65:9a:
+                    9e:fb:47:d9:57:72:f3:09:a1:ae:76:44:13:6e:9c:
+                    2d:44:39:bc:f9:c7:3b:a4:58:3d:41:bd:b4:c2:49:
+                    a3:c8:0d:d2:97:2f:07:65:52:00:a7:6e:c8:af:68:
+                    ec:f4:14:96:b6:57:1f:56:c3:39:9f:2b:6d:e4:f3:
+                    3e:f6:35:64:da:0c:1c:a1:84:4b:2f:4b:4b:e2:2c:
+                    24:9d:6d:93:40:eb:b5:23:8e:32:ca:6f:45:d3:a8:
+                    89:7b:1e:cf:1e:fa:5b:43:8b:cd:cd:a8:0f:6a:ca:
+                    0c:5e:b9:9e:47:8f:f0:d9:b6:0a:0b:58:65:17:33:
+                    b9:23:e4:77:19:7d:cb:4a:2e:92:7b:4f:2f:10:77:
+                    b1:8d:2f:68:9c:62:cc:e0:50:f8:ec:91:a7:54:4c:
+                    57:09:d5:76:63:c5:e8:65:1e:ee:6d:6a:cf:09:9d:
+                    fa:7c:4f:ad:60:08:fd:56:99:0f:15:2c:7b:a9:80:
+                    ab:8c:61:8f:4a:07:76:42:de:3d:f4:dd:b2:24:33:
+                    5b:b8:b5:a3:44:c9:ac:7f:77:3c:1d:23:ec:82:a9:
+                    a6:e2:c8:06:4c:02:fe:ac:5c:99:99:0b:2f:10:8a:
+                    a6:f4:7f:d5:87:74:0d:59:49:45:f6:f0:71:5c:39:
+                    29:d6:bf:4a:23:8b:f5:5f:01:63:d2:87:73:28:b5:
+                    4b:0a:f5:f8:ab:82:2c:7e:73:25:32:1d:0b:63:0a:
+                    17:81:00:ff:b6:76:5e:e7:b4:b1:40:ca:21:bb:d5:
+                    80:51:e5:48:52:67:2c:d2:61:89:07:0d:0f:ce:42:
+                    77:c0:44:73:9c:44:50:a0:db:10:0a:2d:95:1c:81:
+                    af:e4:1c:e5:14:1e:f1:36:41:01:02:2f:7d:73:a7:
+                    de:42:cc:4c:e9:89:0d:56:f7:9f:91:d4:03:c6:6c:
+                    c9:8f:db:d8:1c:e0:40:98:5d:66:99:98:80:6e:2d:
+                    ff:01:c5:ce:cb:46:1f:ac:02:c6:43:e6:ae:a2:84:
+                    3c:c5:4e:1e:3d:6d:c9:14:4c:e3:2e:41:bb:ca:39:
+                    bf:36:3c:2a:19:aa:41:87:4e:a5:ce:4b:32:79:dd:
+                    90:49:7f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37
+
+            X509v3 Subject Key Identifier: 
+                9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         4e:1e:b9:8a:c6:a0:98:3f:6e:c3:69:c0:6a:5c:49:52:ac:cb:
+         2b:5d:78:38:c1:d5:54:84:9f:93:f0:87:19:3d:2c:66:89:eb:
+         0d:42:fc:cc:f0:75:85:3f:8b:f4:80:5d:79:e5:17:67:bd:35:
+         82:e2:f2:3c:8e:7d:5b:36:cb:5a:80:00:29:f2:ce:2b:2c:f1:
+         8f:aa:6d:05:93:6c:72:c7:56:eb:df:50:23:28:e5:45:10:3d:
+         e8:67:a3:af:0e:55:0f:90:09:62:ef:4b:59:a2:f6:53:f1:c0:
+         35:e4:2f:c1:24:bd:79:2f:4e:20:22:3b:fd:1a:20:b0:a4:0e:
+         2c:70:ed:74:3f:b8:13:95:06:51:c8:e8:87:26:ca:a4:5b:6a:
+         16:21:92:dd:73:60:9e:10:18:de:3c:81:ea:e8:18:c3:7c:89:
+         f2:8b:50:3e:bd:11:e2:15:03:a8:36:7d:33:01:6c:48:15:d7:
+         88:90:99:04:c5:cc:e6:07:f4:bc:f4:90:ed:13:e2:ea:8b:c3:
+         8f:a3:33:0f:c1:29:4c:13:4e:da:15:56:71:73:72:82:50:f6:
+         9a:33:7c:a2:b1:a8:1a:34:74:65:5c:ce:d1:eb:ab:53:e0:1a:
+         80:d8:ea:3a:49:e4:26:30:9b:e5:1c:8a:a8:a9:15:32:86:99:
+         92:0a:10:23:56:12:e0:f6:ce:4c:e2:bb:be:db:8d:92:73:01:
+         66:2f:62:3e:b2:72:27:45:36:ed:4d:56:e3:97:99:ff:3a:35:
+         3e:a5:54:4a:52:59:4b:60:db:ee:fe:78:11:7f:4a:dc:14:79:
+         60:b6:6b:64:03:db:15:83:e1:a2:be:f6:23:97:50:f0:09:33:
+         36:a7:71:96:25:f3:b9:42:7d:db:38:3f:2c:58:ac:e8:42:e1:
+         0e:d8:d3:3b:4c:2e:82:e9:83:2e:6b:31:d9:dd:47:86:4f:6d:
+         97:91:2e:4f:e2:28:71:35:16:d1:f2:73:fe:25:2b:07:47:24:
+         63:27:c8:f8:f6:d9:6b:fc:12:31:56:08:c0:53:42:af:9c:d0:
+         33:7e:fc:06:f0:31:44:03:14:f1:58:ea:f2:6a:0d:a9:11:b2:
+         83:be:c5:1a:bf:07:ea:59:dc:a3:88:35:ef:9c:76:32:3c:4d:
+         06:22:ce:15:e5:dd:9e:d8:8f:da:de:d2:c4:39:e5:17:81:cf:
+         38:47:eb:7f:88:6d:59:1b:df:9f:42:14:ae:7e:cf:a8:b0:66:
+         65:da:37:af:9f:aa:3d:ea:28:b6:de:d5:31:58:16:82:5b:ea:
+         bb:19:75:02:73:1a:ca:48:1a:21:93:90:0a:8e:93:84:a7:7d:
+         3b:23:18:92:89:a0:8d:ac
+SHA1 Fingerprint=5B:6E:68:D0:CC:15:B6:A0:5F:1E:C1:5F:AE:02:FC:6B:2F:5D:6F:74
+-----BEGIN CERTIFICATE-----
+MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNV
+BAUTCUc2MzI4NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlk
+YWQgZGUgQ2VydGlmaWNhY2lvbjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNV
+BAMTGUFORiBTZWN1cmUgU2VydmVyIFJvb3QgQ0EwHhcNMTkwOTA0MTAwMDM4WhcN
+MzkwODMwMTAwMDM4WjCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF
+UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYD
+VQQLEwtBTkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9v
+dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvrayvmZFSVgpCj
+cqQZAZ2cC4Ffc0m6p6zzBE57lgvsEeBbphzOG9INgxwruJ4dfkUyYA8H6XdYfp9q
+yGFOtibBTI3/TO80sh9l2Ll49a2pcbnvT1gdpd50IJeh7WhM3pIXS7yr/2WanvtH
+2Vdy8wmhrnZEE26cLUQ5vPnHO6RYPUG9tMJJo8gN0pcvB2VSAKduyK9o7PQUlrZX
+H1bDOZ8rbeTzPvY1ZNoMHKGESy9LS+IsJJ1tk0DrtSOOMspvRdOoiXsezx76W0OL
+zc2oD2rKDF65nkeP8Nm2CgtYZRczuSPkdxl9y0oukntPLxB3sY0vaJxizOBQ+OyR
+p1RMVwnVdmPF6GUe7m1qzwmd+nxPrWAI/VaZDxUse6mAq4xhj0oHdkLePfTdsiQz
+W7i1o0TJrH93PB0j7IKppuLIBkwC/qxcmZkLLxCKpvR/1Yd0DVlJRfbwcVw5Kda/
+SiOL9V8BY9KHcyi1Swr1+KuCLH5zJTIdC2MKF4EA/7Z2Xue0sUDKIbvVgFHlSFJn
+LNJhiQcND85Cd8BEc5xEUKDbEAotlRyBr+Qc5RQe8TZBAQIvfXOn3kLMTOmJDVb3
+n5HUA8ZsyY/b2BzgQJhdZpmYgG4t/wHFzstGH6wCxkPmrqKEPMVOHj1tyRRM4y5B
+u8o5vzY8KhmqQYdOpc5LMnndkEl/AgMBAAGjYzBhMB8GA1UdIwQYMBaAFJxf0Gxj
+o1+TypOYCK2Mh6UsXME3MB0GA1UdDgQWBBScX9BsY6Nfk8qTmAitjIelLFzBNzAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEATh65isagmD9uw2nAalxJUqzLK114OMHVVISfk/CHGT0sZonrDUL8zPB1hT+L
+9IBdeeUXZ701guLyPI59WzbLWoAAKfLOKyzxj6ptBZNscsdW699QIyjlRRA96Gej
+rw5VD5AJYu9LWaL2U/HANeQvwSS9eS9OICI7/RogsKQOLHDtdD+4E5UGUcjohybK
+pFtqFiGS3XNgnhAY3jyB6ugYw3yJ8otQPr0R4hUDqDZ9MwFsSBXXiJCZBMXM5gf0
+vPSQ7RPi6ovDj6MzD8EpTBNO2hVWcXNyglD2mjN8orGoGjR0ZVzO0eurU+AagNjq
+OknkJjCb5RyKqKkVMoaZkgoQI1YS4PbOTOK7vtuNknMBZi9iPrJyJ0U27U1W45eZ
+/zo1PqVUSlJZS2Db7v54EX9K3BR5YLZrZAPbFYPhor72I5dQ8AkzNqdxliXzuUJ9
+2zg/LFis6ELhDtjTO0wugumDLmsx2d1Hhk9tl5EuT+IocTUW0fJz/iUrB0ckYyfI
++PbZa/wSMVYIwFNCr5zQM378BvAxRAMU8Vjq8moNqRGyg77FGr8H6lnco4g175x2
+MjxNBiLOFeXdntiP2t7SxDnlF4HPOEfrf4htWRvfn0IUrn7PqLBmZdo3r5+qPeoo
+tt7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
index 7248545350e2..7c971e1229a2 100644
--- a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
+++ b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Commercial.pem b/secure/caroot/trusted/AffirmTrust_Commercial.pem
index 1d85c32853c8..282d1a5dcf6f 100644
--- a/secure/caroot/trusted/AffirmTrust_Commercial.pem
+++ b/secure/caroot/trusted/AffirmTrust_Commercial.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Networking.pem b/secure/caroot/trusted/AffirmTrust_Networking.pem
index 222bde26c934..830cf3f0c3c2 100644
--- a/secure/caroot/trusted/AffirmTrust_Networking.pem
+++ b/secure/caroot/trusted/AffirmTrust_Networking.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Premium.pem b/secure/caroot/trusted/AffirmTrust_Premium.pem
index dc1447429465..725747aafdaf 100644
--- a/secure/caroot/trusted/AffirmTrust_Premium.pem
+++ b/secure/caroot/trusted/AffirmTrust_Premium.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
index a6f01409a2ef..6fe75939863e 100644
--- a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
+++ b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_1.pem b/secure/caroot/trusted/Amazon_Root_CA_1.pem
index 6bf1acafd4c7..2aca2eee3e9b 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_1.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_1.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_2.pem b/secure/caroot/trusted/Amazon_Root_CA_2.pem
index 80a1eb66bee2..95ca81db30bb 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_2.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_2.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_3.pem b/secure/caroot/trusted/Amazon_Root_CA_3.pem
index 6b61b3e18fa0..294f7dc8f0b6 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_3.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_3.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_4.pem b/secure/caroot/trusted/Amazon_Root_CA_4.pem
index df7aa6f1c165..649917b9638a 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_4.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_4.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Atos_TrustedRoot_2011.pem b/secure/caroot/trusted/Atos_TrustedRoot_2011.pem
index 21b229561733..7058d3fb6edf 100644
--- a/secure/caroot/trusted/Atos_TrustedRoot_2011.pem
+++ b/secure/caroot/trusted/Atos_TrustedRoot_2011.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem b/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
index 4d2eaa61962f..db4f44195dbd 100644
--- a/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
+++ b/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem b/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem
index 3dc1de849346..0f356d59962f 100644
--- a/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem
+++ b/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem b/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem
index dc2c86edbed1..0168f641fd42 100644
--- a/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem
+++ b/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem b/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem
index fda39f8731d1..7ae24799e638 100644
--- a/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem
+++ b/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/CA_Disig_Root_R2.pem b/secure/caroot/trusted/CA_Disig_Root_R2.pem
index 0ecc9d1ee08d..0dda6d97e2aa 100644
--- a/secure/caroot/trusted/CA_Disig_Root_R2.pem
+++ b/secure/caroot/trusted/CA_Disig_Root_R2.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/CFCA_EV_ROOT.pem b/secure/caroot/trusted/CFCA_EV_ROOT.pem
index 7eb37baa3bed..722499b9ed42 100644
--- a/secure/caroot/trusted/CFCA_EV_ROOT.pem
+++ b/secure/caroot/trusted/CFCA_EV_ROOT.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/COMODO_Certification_Authority.pem b/secure/caroot/trusted/COMODO_Certification_Authority.pem
index 7aa1237bb8e1..fc3e4b554cc3 100644
--- a/secure/caroot/trusted/COMODO_Certification_Authority.pem
+++ b/secure/caroot/trusted/COMODO_Certification_Authority.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem b/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem
index 215581b14fdf..5f839a858d00 100644
--- a/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem
+++ b/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem b/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem
index 38e275f1365e..7faefe98b8bf 100644
--- a/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem
+++ b/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certigna.pem b/secure/caroot/trusted/Certigna.pem
index bbcd413be511..e9104ef6c3da 100644
--- a/secure/caroot/trusted/Certigna.pem
+++ b/secure/caroot/trusted/Certigna.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certigna_Root_CA.pem b/secure/caroot/trusted/Certigna_Root_CA.pem
index c1a0286ab2a0..a0a7248b51ea 100644
--- a/secure/caroot/trusted/Certigna_Root_CA.pem
+++ b/secure/caroot/trusted/Certigna_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certum_EC-384_CA.pem b/secure/caroot/trusted/Certum_EC-384_CA.pem
new file mode 100644
index 000000000000..67b5d644f809
--- /dev/null
+++ b/secure/caroot/trusted/Certum_EC-384_CA.pem
@@ -0,0 +1,68 @@
+##
+##  Certum EC-384 CA
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  It contains a certificate trusted for server authentication.
+##
+##  Extracted from nss
+##  with $FreeBSD$
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            78:8f:27:5c:81:12:52:20:a5:04:d0:2d:dd:ba:73:f4
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum EC-384 CA
+        Validity
+            Not Before: Mar 26 07:24:54 2018 GMT
+            Not After : Mar 26 07:24:54 2043 GMT
+        Subject: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum EC-384 CA
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:c4:28:8e:ab:18:5b:6a:be:6e:64:37:63:e4:cd:
+                    ec:ab:3a:f7:cc:a1:b8:0e:82:49:d7:86:29:9f:a1:
+                    94:f2:e3:60:78:98:81:78:06:4d:f2:ec:9a:0e:57:
+                    60:83:9f:b4:e6:17:2f:1a:b3:5d:02:5b:89:23:3c:
+                    c2:11:05:2a:a7:88:13:18:f3:50:84:d7:bd:34:2c:
+                    27:89:55:ff:ce:4c:e7:df:a6:1f:28:c4:f0:54:c3:
+                    b9:7c:b7:53:ad:eb:c2
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                8D:06:66:74:24:76:3A:F3:89:F7:BC:D6:BD:47:7D:2F:BC:10:5F:4B
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA384
+         30:65:02:30:03:55:2d:a6:e6:18:c4:7c:ef:c9:50:6e:c1:27:
+         0f:9c:87:af:6e:d5:1b:08:18:bd:92:29:c1:ef:94:91:78:d2:
+         3a:1c:55:89:62:e5:1b:09:1e:ba:64:6b:f1:76:b4:d4:02:31:
+         00:b4:42:84:99:ff:ab:e7:9e:fb:91:97:27:5d:dc:b0:5b:30:
+         71:ce:5e:38:1a:6a:d9:25:e7:ea:f7:61:92:56:f8:ea:da:36:
+         c2:87:65:96:2e:72:25:2f:7f:df:c3:13:c9
+SHA1 Fingerprint=F3:3E:78:3C:AC:DF:F4:A2:CC:AC:67:55:69:56:D7:E5:16:3C:E1:ED
+-----BEGIN CERTIFICATE-----
+MIICZTCCAeugAwIBAgIQeI8nXIESUiClBNAt3bpz9DAKBggqhkjOPQQDAzB0MQsw
+CQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScw
+JQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMT
+EENlcnR1bSBFQy0zODQgQ0EwHhcNMTgwMzI2MDcyNDU0WhcNNDMwMzI2MDcyNDU0
+WjB0MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBT
+LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAX
+BgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATE
+KI6rGFtqvm5kN2PkzeyrOvfMobgOgknXhimfoZTy42B4mIF4Bk3y7JoOV2CDn7Tm
+Fy8as10CW4kjPMIRBSqniBMY81CE1700LCeJVf/OTOffph8oxPBUw7l8t1Ot68Kj
*** 1764 LINES SKIPPED ***