git: a8c4f99a6723 - releng/12.2 - Root certificate bundle update.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 03 Nov 2021 20:54:31 UTC
The branch releng/12.2 has been updated by gordon:
URL: https://cgit.FreeBSD.org/src/commit/?id=a8c4f99a6723ec7a9de6830c47f650ba2f978f31
commit a8c4f99a6723ec7a9de6830c47f650ba2f978f31
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2021-11-03 20:34:51 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2021-11-03 20:35:48 +0000
Root certificate bundle update.
Approved by: so
Security: EN-21:27.caroot
---
secure/caroot/MAca-bundle.pl | 55 ++++++--
.../Camerfirma_Chambers_of_Commerce_Root.pem | 2 +-
.../Camerfirma_Global_Chambersign_Root.pem | 2 +-
.../{trusted => blacklisted}/Certum_Root_CA.pem | 2 +-
.../Chambers_of_Commerce_Root_-_2008.pem | 2 +-
.../D-TRUST_Root_CA_3_2013.pem | 2 +-
secure/caroot/{trusted => blacklisted}/EC-ACC.pem | 2 +-
...oTrust_Primary_Certification_Authority_-_G2.pem | 2 +-
.../Global_Chambersign_Root_-_2008.pem | 2 +-
.../OISTE_WISeKey_Global_Root_GA_CA.pem | 2 +-
.../{trusted => blacklisted}/QuoVadis_Root_CA.pem | 4 +-
.../Sonera_Class_2_Root_CA.pem | 4 +-
.../Staat_der_Nederlanden_Root_CA_-_G3.pem | 2 +-
.../SwissSign_Platinum_CA_-_G2.pem | 2 +-
...Public_Primary_Certification_Authority_-_G6.pem | 2 +-
...Public_Primary_Certification_Authority_-_G6.pem | 2 +-
.../Trustis_FPS_Root_CA.pem | 2 +-
...Sign_Universal_Root_Certification_Authority.pem | 2 +-
...Public_Primary_Certification_Authority_-_G3.pem | 2 +-
...Public_Primary_Certification_Authority_-_G3.pem | 2 +-
secure/caroot/trusted/ACCVRAIZ1.pem | 4 +-
secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem | 4 +-
.../AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem | 69 ++++++++++
.../caroot/trusted/ANF_Secure_Server_Root_CA.pem | 139 +++++++++++++++++++++
.../trusted/Actalis_Authentication_Root_CA.pem | 4 +-
secure/caroot/trusted/AffirmTrust_Commercial.pem | 4 +-
secure/caroot/trusted/AffirmTrust_Networking.pem | 4 +-
secure/caroot/trusted/AffirmTrust_Premium.pem | 4 +-
secure/caroot/trusted/AffirmTrust_Premium_ECC.pem | 4 +-
secure/caroot/trusted/Amazon_Root_CA_1.pem | 4 +-
secure/caroot/trusted/Amazon_Root_CA_2.pem | 4 +-
secure/caroot/trusted/Amazon_Root_CA_3.pem | 4 +-
secure/caroot/trusted/Amazon_Root_CA_4.pem | 4 +-
secure/caroot/trusted/Atos_TrustedRoot_2011.pem | 4 +-
...ertificacion_Firmaprofesional_CIF_A62634068.pem | 4 +-
.../caroot/trusted/Baltimore_CyberTrust_Root.pem | 4 +-
secure/caroot/trusted/Buypass_Class_2_Root_CA.pem | 4 +-
secure/caroot/trusted/Buypass_Class_3_Root_CA.pem | 4 +-
secure/caroot/trusted/CA_Disig_Root_R2.pem | 4 +-
secure/caroot/trusted/CFCA_EV_ROOT.pem | 4 +-
.../trusted/COMODO_Certification_Authority.pem | 4 +-
.../trusted/COMODO_ECC_Certification_Authority.pem | 4 +-
.../trusted/COMODO_RSA_Certification_Authority.pem | 4 +-
secure/caroot/trusted/Certigna.pem | 4 +-
secure/caroot/trusted/Certigna_Root_CA.pem | 4 +-
secure/caroot/trusted/Certum_EC-384_CA.pem | 68 ++++++++++
.../caroot/trusted/Certum_Trusted_Network_CA.pem | 4 +-
.../caroot/trusted/Certum_Trusted_Network_CA_2.pem | 4 +-
secure/caroot/trusted/Certum_Trusted_Root_CA.pem | 136 ++++++++++++++++++++
secure/caroot/trusted/Comodo_AAA_Services_root.pem | 4 +-
secure/caroot/trusted/Cybertrust_Global_Root.pem | 4 +-
.../trusted/D-TRUST_Root_Class_3_CA_2_2009.pem | 4 +-
.../trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem | 4 +-
secure/caroot/trusted/DST_Root_CA_X3.pem | 4 +-
.../caroot/trusted/DigiCert_Assured_ID_Root_CA.pem | 4 +-
.../caroot/trusted/DigiCert_Assured_ID_Root_G2.pem | 4 +-
.../caroot/trusted/DigiCert_Assured_ID_Root_G3.pem | 4 +-
secure/caroot/trusted/DigiCert_Global_Root_CA.pem | 4 +-
secure/caroot/trusted/DigiCert_Global_Root_G2.pem | 4 +-
secure/caroot/trusted/DigiCert_Global_Root_G3.pem | 4 +-
.../trusted/DigiCert_High_Assurance_EV_Root_CA.pem | 4 +-
secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem | 4 +-
.../trusted/E-Tugra_Certification_Authority.pem | 4 +-
.../Entrust_Root_Certification_Authority.pem | 4 +-
.../Entrust_Root_Certification_Authority_-_EC1.pem | 4 +-
.../Entrust_Root_Certification_Authority_-_G2.pem | 4 +-
.../Entrust_Root_Certification_Authority_-_G4.pem | 4 +-
.../Entrust_net_Premium_2048_Secure_Server_CA.pem | 4 +-
secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem | 4 +-
secure/caroot/trusted/GLOBALTRUST_2020.pem | 138 ++++++++++++++++++++
secure/caroot/trusted/GTS_Root_R1.pem | 4 +-
secure/caroot/trusted/GTS_Root_R2.pem | 4 +-
secure/caroot/trusted/GTS_Root_R3.pem | 4 +-
secure/caroot/trusted/GTS_Root_R4.pem | 4 +-
.../caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem | 4 +-
.../caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem | 4 +-
secure/caroot/trusted/GlobalSign_Root_CA.pem | 4 +-
secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem | 4 +-
secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem | 4 +-
secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem | 4 +-
secure/caroot/trusted/GlobalSign_Root_E46.pem | 66 ++++++++++
secure/caroot/trusted/GlobalSign_Root_R46.pem | 134 ++++++++++++++++++++
secure/caroot/trusted/Go_Daddy_Class_2_CA.pem | 4 +-
.../Go_Daddy_Root_Certificate_Authority_-_G2.pem | 4 +-
...c_and_Research_Institutions_ECC_RootCA_2015.pem | 4 +-
...demic_and_Research_Institutions_RootCA_2011.pem | 4 +-
...demic_and_Research_Institutions_RootCA_2015.pem | 4 +-
secure/caroot/trusted/Hongkong_Post_Root_CA_1.pem | 4 +-
secure/caroot/trusted/Hongkong_Post_Root_CA_3.pem | 4 +-
secure/caroot/trusted/ISRG_Root_X1.pem | 4 +-
.../trusted/IdenTrust_Commercial_Root_CA_1.pem | 4 +-
.../trusted/IdenTrust_Public_Sector_Root_CA_1.pem | 4 +-
secure/caroot/trusted/Izenpe_com.pem | 4 +-
.../trusted/Microsec_e-Szigno_Root_CA_2009.pem | 4 +-
...crosoft_ECC_Root_Certificate_Authority_2017.pem | 4 +-
...crosoft_RSA_Root_Certificate_Authority_2017.pem | 4 +-
.../NAVER_Global_Root_Certification_Authority.pem | 4 +-
...etLock_Arany__Class_Gold__F__tan__s__tv__ny.pem | 4 +-
.../Network_Solutions_Certificate_Authority.pem | 4 +-
.../trusted/OISTE_WISeKey_Global_Root_GB_CA.pem | 4 +-
.../trusted/OISTE_WISeKey_Global_Root_GC_CA.pem | 4 +-
secure/caroot/trusted/QuoVadis_Root_CA_1_G3.pem | 4 +-
secure/caroot/trusted/QuoVadis_Root_CA_2.pem | 4 +-
secure/caroot/trusted/QuoVadis_Root_CA_2_G3.pem | 4 +-
secure/caroot/trusted/QuoVadis_Root_CA_3.pem | 4 +-
secure/caroot/trusted/QuoVadis_Root_CA_3_G3.pem | 4 +-
...SSL_com_EV_Root_Certification_Authority_ECC.pem | 4 +-
..._com_EV_Root_Certification_Authority_RSA_R2.pem | 4 +-
.../SSL_com_Root_Certification_Authority_ECC.pem | 4 +-
.../SSL_com_Root_Certification_Authority_RSA.pem | 4 +-
secure/caroot/trusted/SZAFIR_ROOT_CA2.pem | 4 +-
secure/caroot/trusted/SecureSign_RootCA11.pem | 4 +-
secure/caroot/trusted/SecureTrust_CA.pem | 4 +-
secure/caroot/trusted/Secure_Global_CA.pem | 4 +-
.../trusted/Security_Communication_RootCA2.pem | 4 +-
.../trusted/Security_Communication_Root_CA.pem | 4 +-
.../trusted/Staat_der_Nederlanden_EV_Root_CA.pem | 4 +-
secure/caroot/trusted/Starfield_Class_2_CA.pem | 4 +-
.../Starfield_Root_Certificate_Authority_-_G2.pem | 4 +-
...ld_Services_Root_Certificate_Authority_-_G2.pem | 4 +-
secure/caroot/trusted/SwissSign_Gold_CA_-_G2.pem | 4 +-
secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem | 4 +-
.../trusted/T-TeleSec_GlobalRoot_Class_2.pem | 4 +-
.../trusted/T-TeleSec_GlobalRoot_Class_3.pem | 4 +-
...BITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem | 4 +-
secure/caroot/trusted/TWCA_Global_Root_CA.pem | 4 +-
.../trusted/TWCA_Root_Certification_Authority.pem | 4 +-
secure/caroot/trusted/TeliaSonera_Root_CA_v1.pem | 4 +-
secure/caroot/trusted/TrustCor_ECA-1.pem | 4 +-
secure/caroot/trusted/TrustCor_RootCert_CA-1.pem | 4 +-
secure/caroot/trusted/TrustCor_RootCert_CA-2.pem | 4 +-
.../Trustwave_Global_Certification_Authority.pem | 4 +-
...ave_Global_ECC_P256_Certification_Authority.pem | 4 +-
...ave_Global_ECC_P384_Certification_Authority.pem | 4 +-
.../trusted/UCA_Extended_Validation_Root.pem | 4 +-
secure/caroot/trusted/UCA_Global_G2_Root.pem | 4 +-
.../USERTrust_ECC_Certification_Authority.pem | 4 +-
.../USERTrust_RSA_Certification_Authority.pem | 4 +-
secure/caroot/trusted/XRamp_Global_CA_Root.pem | 4 +-
secure/caroot/trusted/certSIGN_ROOT_CA.pem | 4 +-
secure/caroot/trusted/certSIGN_Root_CA_G2.pem | 4 +-
secure/caroot/trusted/e-Szigno_Root_CA_2017.pem | 4 +-
.../trusted/ePKI_Root_Certification_Authority.pem | 4 +-
secure/caroot/trusted/emSign_ECC_Root_CA_-_C3.pem | 4 +-
secure/caroot/trusted/emSign_ECC_Root_CA_-_G3.pem | 4 +-
secure/caroot/trusted/emSign_Root_CA_-_C1.pem | 4 +-
secure/caroot/trusted/emSign_Root_CA_-_G1.pem | 4 +-
147 files changed, 1176 insertions(+), 151 deletions(-)
diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl
index bfac77c73941..8521b620337f 100755
--- a/secure/caroot/MAca-bundle.pl
+++ b/secure/caroot/MAca-bundle.pl
@@ -76,6 +76,8 @@ sub print_header($$)
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
## with $VERSION
##
@@ -91,6 +93,8 @@ EOFH
## Authorities (CA). These were automatically extracted from Mozilla's
## root CA list (the file `certdata.txt').
##
+## It contains certificates trusted for server authentication.
+##
## Extracted from nss
## with $VERSION
##
@@ -100,6 +104,13 @@ EOH
}
}
+# returns a string like YYMMDDhhmmssZ of current time in GMT zone
+sub timenow()
+{
+ my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
+ return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
+}
+
sub printcert($$$)
{
my ($fh, $label, $certdata) = @_;
@@ -110,6 +121,8 @@ sub printcert($$$)
close(OUT) or die "openssl x509 failed with exit code $?";
}
+# converts a datastream that is to be \177-style octal constants
+# from <> to a (binary) string and returns it
sub graboct($)
{
my $ifh = shift;
@@ -125,13 +138,13 @@ sub graboct($)
return $data;
}
-
sub grabcert($)
{
my $ifh = shift;
my $certdata;
- my $cka_label;
- my $serial;
+ my $cka_label = '';
+ my $serial = 0;
+ my $distrust = 0;
while (<$ifh>) {
chomp;
@@ -148,6 +161,19 @@ sub grabcert($)
if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
$serial = graboct($ifh);
}
+
+ if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
+ {
+ my $distrust_after = graboct($ifh);
+ my $time_now = timenow();
+ if ($time_now >= $distrust_after) { $distrust = 1; }
+ if ($debug) {
+ printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+ }
+ if ($distrust) {
+ return undef;
+ }
+ }
}
return ($serial, $cka_label, $certdata);
}
@@ -171,13 +197,13 @@ sub grabtrust($) {
$serial = graboct($ifh);
}
- if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
+ if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/)
{
- if ($2 eq 'CKT_NSS_NOT_TRUSTED') {
+ if ($1 eq 'CKT_NSS_NOT_TRUSTED') {
$distrust = 1;
- } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
+ } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
$maytrust = 1;
- } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
+ } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
confess "Unknown trust setting on line $.:\n"
. "$_\n"
. "Script must be updated:";
@@ -197,16 +223,22 @@ if (!$outputdir) {
print_header(*STDOUT, "");
}
+my $untrusted = 0;
+
while (<$inputfh>) {
if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
my ($serial, $label, $certdata) = grabcert($inputfh);
if (defined $certs{$label."\0".$serial}) {
warn "Certificate $label duplicated!\n";
}
- $certs{$label."\0".$serial} = $certdata;
- # We store the label in a separate hash because truncating the key
- # with \0 was causing garbage data after the end of the text.
- $labels{$label."\0".$serial} = $label;
+ if (defined $certdata) {
+ $certs{$label."\0".$serial} = $certdata;
+ # We store the label in a separate hash because truncating the key
+ # with \0 was causing garbage data after the end of the text.
+ $labels{$label."\0".$serial} = $label;
+ } else { # $certdata undefined? distrust_after in effect
+ $untrusted ++;
+ }
} elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
my ($serial, $label, $trust) = grabtrust($inputfh);
if (defined $trusts{$label."\0".$serial}) {
@@ -226,7 +258,6 @@ sub label_to_filename(@) {
}
# weed out untrusted certificates
-my $untrusted = 0;
foreach my $it (keys %trusts) {
if (!$trusts{$it}) {
if (!exists($certs{$it})) {
diff --git a/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
similarity index 98%
rename from secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem
rename to secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
index 601df8f89e10..cf7de6cc122b 100644
--- a/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem
+++ b/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
similarity index 98%
rename from secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem
rename to secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
index 203fb13108c8..b1fa96bc405e 100644
--- a/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem
+++ b/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Certum_Root_CA.pem b/secure/caroot/blacklisted/Certum_Root_CA.pem
similarity index 97%
rename from secure/caroot/trusted/Certum_Root_CA.pem
rename to secure/caroot/blacklisted/Certum_Root_CA.pem
index ec03a0f913de..f815c49ddae0 100644
--- a/secure/caroot/trusted/Certum_Root_CA.pem
+++ b/secure/caroot/blacklisted/Certum_Root_CA.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
similarity index 98%
rename from secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem
rename to secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
index b705886574c8..1e3864180a66 100644
--- a/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem
+++ b/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
similarity index 98%
rename from secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem
rename to secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
index ab9d138bd3e1..debf7b30c2ef 100644
--- a/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem
+++ b/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/EC-ACC.pem b/secure/caroot/blacklisted/EC-ACC.pem
similarity index 98%
rename from secure/caroot/trusted/EC-ACC.pem
rename to secure/caroot/blacklisted/EC-ACC.pem
index 7fca8890028f..a4b43b39414b 100644
--- a/secure/caroot/trusted/EC-ACC.pem
+++ b/secure/caroot/blacklisted/EC-ACC.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
similarity index 97%
rename from secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
rename to secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
index 65a90850db69..b03758a63c98 100644
--- a/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
+++ b/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
similarity index 98%
rename from secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem
rename to secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
index cceb29ac1bfd..cd9bebaf8c0f 100644
--- a/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem
+++ b/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
similarity index 98%
rename from secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem
rename to secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
index 266b87d98081..08ea553a9e80 100644
--- a/secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem
+++ b/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/QuoVadis_Root_CA.pem b/secure/caroot/blacklisted/QuoVadis_Root_CA.pem
similarity index 98%
rename from secure/caroot/trusted/QuoVadis_Root_CA.pem
rename to secure/caroot/blacklisted/QuoVadis_Root_CA.pem
index f4e14f9874e5..25e6300f5231 100644
--- a/secure/caroot/trusted/QuoVadis_Root_CA.pem
+++ b/secure/caroot/blacklisted/QuoVadis_Root_CA.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Sonera_Class_2_Root_CA.pem b/secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
similarity index 98%
rename from secure/caroot/trusted/Sonera_Class_2_Root_CA.pem
rename to secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
index 77e8b4210f9a..b23c237e319f 100644
--- a/secure/caroot/trusted/Sonera_Class_2_Root_CA.pem
+++ b/secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
similarity index 98%
rename from secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
rename to secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
index ff3bcb131967..14a79c4c3e24 100644
--- a/secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
+++ b/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
similarity index 98%
rename from secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem
rename to secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
index 0fddbbde022d..f4678f629684 100644
--- a/secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem
+++ b/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
similarity index 98%
rename from secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
index c0ff22d1acb5..019c97a13d34 100644
--- a/secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
+++ b/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
similarity index 98%
rename from secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
index 1d31c4641235..df9468c1249e 100644
--- a/secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
+++ b/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Trustis_FPS_Root_CA.pem b/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
similarity index 98%
rename from secure/caroot/trusted/Trustis_FPS_Root_CA.pem
rename to secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
index 7ae0c7994c61..476ba64dfd63 100644
--- a/secure/caroot/trusted/Trustis_FPS_Root_CA.pem
+++ b/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
similarity index 98%
rename from secure/caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem
rename to secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
index a0e4b718c98d..353f709ad531 100644
--- a/secure/caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem
+++ b/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
similarity index 98%
rename from secure/caroot/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
index 615a72ad485b..d060de75b329 100644
--- a/secure/caroot/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
+++ b/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
similarity index 98%
rename from secure/caroot/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
index c6c9b2ff5c6f..89400caf7eb6 100644
--- a/secure/caroot/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
+++ b/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
@@ -6,7 +6,7 @@
## root CA list (the file `certdata.txt' in security/nss).
##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/ACCVRAIZ1.pem b/secure/caroot/trusted/ACCVRAIZ1.pem
index 136f7bddb6f3..1c96e53b8f17 100644
--- a/secure/caroot/trusted/ACCVRAIZ1.pem
+++ b/secure/caroot/trusted/ACCVRAIZ1.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
index d327b3ecf2cb..6a64be5ce138 100644
--- a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
+++ b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
new file mode 100644
index 000000000000..71ee49574e84
--- /dev/null
+++ b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
@@ -0,0 +1,69 @@
+##
+## AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## It contains a certificate trusted for server authentication.
+##
+## Extracted from nss
+## with $FreeBSD$
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 62:f6:32:6c:e5:c4:e3:68:5c:1b:62:dd:9c:2e:9d:95
+ Signature Algorithm: ecdsa-with-SHA384
+ Issuer: C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+ Validity
+ Not Before: Dec 20 09:37:33 2018 GMT
+ Not After : Dec 20 09:37:33 2043 GMT
+ Subject: C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:f6:ba:57:53:c8:ca:ab:df:36:4a:52:21:e4:97:
+ d2:83:67:9e:f0:65:51:d0:5e:87:c7:47:b1:59:f2:
+ 57:47:9b:00:02:93:44:17:69:db:42:c7:b1:b2:3a:
+ 18:0e:b4:5d:8c:b3:66:5d:a1:34:f9:36:2c:49:db:
+ f3:46:fc:b3:44:69:44:13:66:fd:d7:c5:fd:af:36:
+ 4d:ce:03:4d:07:71:cf:af:6a:05:d2:a2:43:5a:0a:
+ 52:6f:01:03:4e:8e:8b
+ ASN1 OID: secp384r1
+ NIST CURVE: P-384
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ 01:B9:2F:EF:BF:11:86:60:F2:4F:D0:41:6E:AB:73:1F:E7:D2:6E:49
+ Signature Algorithm: ecdsa-with-SHA384
+ 30:66:02:31:00:ae:4a:e3:2b:40:c3:74:11:f2:95:ad:16:23:
+ de:4e:0c:1a:e6:5d:a5:24:5e:6b:44:7b:fc:38:e2:4f:cb:9c:
+ 45:17:11:4c:14:27:26:55:39:75:4a:03:cc:13:90:9f:92:02:
+ 31:00:fa:4a:6c:60:88:73:f3:ee:b8:98:62:a9:ce:2b:c2:d9:
+ 8a:a6:70:31:1d:af:b0:94:4c:eb:4f:c6:e3:d1:f3:62:a7:3c:
+ ff:93:2e:07:5c:49:01:67:69:12:02:72:bf:e7
+SHA1 Fingerprint=62:FF:D9:9E:C0:65:0D:03:CE:75:93:D2:ED:3F:2D:32:C9:E3:E5:4A
+-----BEGIN CERTIFICATE-----
+MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw
+CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw
+FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S
+Q00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5
+MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL
+DAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS
+QUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH
+sbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK
+Um8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
+VR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu
+SuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC
+MQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy
+v+c=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem b/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem
new file mode 100644
index 000000000000..6114a5ccdb2d
--- /dev/null
+++ b/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem
@@ -0,0 +1,139 @@
+##
+## ANF Secure Server Root CA
+##
+## This is a single X.509 certificate for a public Certificate
+## Authority (CA). It was automatically extracted from Mozilla's
+## root CA list (the file `certdata.txt' in security/nss).
+##
+## It contains a certificate trusted for server authentication.
+##
+## Extracted from nss
+## with $FreeBSD$
+##
+## @generated
+##
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 996390341000653745 (0xdd3e3bc6cf96bb1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA
+ Validity
+ Not Before: Sep 4 10:00:38 2019 GMT
+ Not After : Aug 30 10:00:38 2039 GMT
+ Subject: serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (4096 bit)
+ Modulus:
+ 00:db:eb:6b:2b:e6:64:54:95:82:90:a3:72:a4:19:
+ 01:9d:9c:0b:81:5f:73:49:ba:a7:ac:f3:04:4e:7b:
+ 96:0b:ec:11:e0:5b:a6:1c:ce:1b:d2:0d:83:1c:2b:
+ b8:9e:1d:7e:45:32:60:0f:07:e9:77:58:7e:9f:6a:
+ c8:61:4e:b6:26:c1:4c:8d:ff:4c:ef:34:b2:1f:65:
+ d8:b9:78:f5:ad:a9:71:b9:ef:4f:58:1d:a5:de:74:
+ 20:97:a1:ed:68:4c:de:92:17:4b:bc:ab:ff:65:9a:
+ 9e:fb:47:d9:57:72:f3:09:a1:ae:76:44:13:6e:9c:
+ 2d:44:39:bc:f9:c7:3b:a4:58:3d:41:bd:b4:c2:49:
+ a3:c8:0d:d2:97:2f:07:65:52:00:a7:6e:c8:af:68:
+ ec:f4:14:96:b6:57:1f:56:c3:39:9f:2b:6d:e4:f3:
+ 3e:f6:35:64:da:0c:1c:a1:84:4b:2f:4b:4b:e2:2c:
+ 24:9d:6d:93:40:eb:b5:23:8e:32:ca:6f:45:d3:a8:
+ 89:7b:1e:cf:1e:fa:5b:43:8b:cd:cd:a8:0f:6a:ca:
+ 0c:5e:b9:9e:47:8f:f0:d9:b6:0a:0b:58:65:17:33:
+ b9:23:e4:77:19:7d:cb:4a:2e:92:7b:4f:2f:10:77:
+ b1:8d:2f:68:9c:62:cc:e0:50:f8:ec:91:a7:54:4c:
+ 57:09:d5:76:63:c5:e8:65:1e:ee:6d:6a:cf:09:9d:
+ fa:7c:4f:ad:60:08:fd:56:99:0f:15:2c:7b:a9:80:
+ ab:8c:61:8f:4a:07:76:42:de:3d:f4:dd:b2:24:33:
+ 5b:b8:b5:a3:44:c9:ac:7f:77:3c:1d:23:ec:82:a9:
+ a6:e2:c8:06:4c:02:fe:ac:5c:99:99:0b:2f:10:8a:
+ a6:f4:7f:d5:87:74:0d:59:49:45:f6:f0:71:5c:39:
+ 29:d6:bf:4a:23:8b:f5:5f:01:63:d2:87:73:28:b5:
+ 4b:0a:f5:f8:ab:82:2c:7e:73:25:32:1d:0b:63:0a:
+ 17:81:00:ff:b6:76:5e:e7:b4:b1:40:ca:21:bb:d5:
+ 80:51:e5:48:52:67:2c:d2:61:89:07:0d:0f:ce:42:
+ 77:c0:44:73:9c:44:50:a0:db:10:0a:2d:95:1c:81:
+ af:e4:1c:e5:14:1e:f1:36:41:01:02:2f:7d:73:a7:
+ de:42:cc:4c:e9:89:0d:56:f7:9f:91:d4:03:c6:6c:
+ c9:8f:db:d8:1c:e0:40:98:5d:66:99:98:80:6e:2d:
+ ff:01:c5:ce:cb:46:1f:ac:02:c6:43:e6:ae:a2:84:
+ 3c:c5:4e:1e:3d:6d:c9:14:4c:e3:2e:41:bb:ca:39:
+ bf:36:3c:2a:19:aa:41:87:4e:a5:ce:4b:32:79:dd:
+ 90:49:7f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37
+
+ X509v3 Subject Key Identifier:
+ 9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 4e:1e:b9:8a:c6:a0:98:3f:6e:c3:69:c0:6a:5c:49:52:ac:cb:
+ 2b:5d:78:38:c1:d5:54:84:9f:93:f0:87:19:3d:2c:66:89:eb:
+ 0d:42:fc:cc:f0:75:85:3f:8b:f4:80:5d:79:e5:17:67:bd:35:
+ 82:e2:f2:3c:8e:7d:5b:36:cb:5a:80:00:29:f2:ce:2b:2c:f1:
+ 8f:aa:6d:05:93:6c:72:c7:56:eb:df:50:23:28:e5:45:10:3d:
+ e8:67:a3:af:0e:55:0f:90:09:62:ef:4b:59:a2:f6:53:f1:c0:
+ 35:e4:2f:c1:24:bd:79:2f:4e:20:22:3b:fd:1a:20:b0:a4:0e:
+ 2c:70:ed:74:3f:b8:13:95:06:51:c8:e8:87:26:ca:a4:5b:6a:
+ 16:21:92:dd:73:60:9e:10:18:de:3c:81:ea:e8:18:c3:7c:89:
+ f2:8b:50:3e:bd:11:e2:15:03:a8:36:7d:33:01:6c:48:15:d7:
+ 88:90:99:04:c5:cc:e6:07:f4:bc:f4:90:ed:13:e2:ea:8b:c3:
+ 8f:a3:33:0f:c1:29:4c:13:4e:da:15:56:71:73:72:82:50:f6:
+ 9a:33:7c:a2:b1:a8:1a:34:74:65:5c:ce:d1:eb:ab:53:e0:1a:
+ 80:d8:ea:3a:49:e4:26:30:9b:e5:1c:8a:a8:a9:15:32:86:99:
+ 92:0a:10:23:56:12:e0:f6:ce:4c:e2:bb:be:db:8d:92:73:01:
+ 66:2f:62:3e:b2:72:27:45:36:ed:4d:56:e3:97:99:ff:3a:35:
+ 3e:a5:54:4a:52:59:4b:60:db:ee:fe:78:11:7f:4a:dc:14:79:
+ 60:b6:6b:64:03:db:15:83:e1:a2:be:f6:23:97:50:f0:09:33:
+ 36:a7:71:96:25:f3:b9:42:7d:db:38:3f:2c:58:ac:e8:42:e1:
+ 0e:d8:d3:3b:4c:2e:82:e9:83:2e:6b:31:d9:dd:47:86:4f:6d:
+ 97:91:2e:4f:e2:28:71:35:16:d1:f2:73:fe:25:2b:07:47:24:
+ 63:27:c8:f8:f6:d9:6b:fc:12:31:56:08:c0:53:42:af:9c:d0:
+ 33:7e:fc:06:f0:31:44:03:14:f1:58:ea:f2:6a:0d:a9:11:b2:
+ 83:be:c5:1a:bf:07:ea:59:dc:a3:88:35:ef:9c:76:32:3c:4d:
+ 06:22:ce:15:e5:dd:9e:d8:8f:da:de:d2:c4:39:e5:17:81:cf:
+ 38:47:eb:7f:88:6d:59:1b:df:9f:42:14:ae:7e:cf:a8:b0:66:
+ 65:da:37:af:9f:aa:3d:ea:28:b6:de:d5:31:58:16:82:5b:ea:
+ bb:19:75:02:73:1a:ca:48:1a:21:93:90:0a:8e:93:84:a7:7d:
+ 3b:23:18:92:89:a0:8d:ac
+SHA1 Fingerprint=5B:6E:68:D0:CC:15:B6:A0:5F:1E:C1:5F:AE:02:FC:6B:2F:5D:6F:74
+-----BEGIN CERTIFICATE-----
+MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNV
+BAUTCUc2MzI4NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlk
+YWQgZGUgQ2VydGlmaWNhY2lvbjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNV
+BAMTGUFORiBTZWN1cmUgU2VydmVyIFJvb3QgQ0EwHhcNMTkwOTA0MTAwMDM4WhcN
+MzkwODMwMTAwMDM4WjCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF
+UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYD
+VQQLEwtBTkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9v
+dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvrayvmZFSVgpCj
+cqQZAZ2cC4Ffc0m6p6zzBE57lgvsEeBbphzOG9INgxwruJ4dfkUyYA8H6XdYfp9q
+yGFOtibBTI3/TO80sh9l2Ll49a2pcbnvT1gdpd50IJeh7WhM3pIXS7yr/2WanvtH
+2Vdy8wmhrnZEE26cLUQ5vPnHO6RYPUG9tMJJo8gN0pcvB2VSAKduyK9o7PQUlrZX
+H1bDOZ8rbeTzPvY1ZNoMHKGESy9LS+IsJJ1tk0DrtSOOMspvRdOoiXsezx76W0OL
+zc2oD2rKDF65nkeP8Nm2CgtYZRczuSPkdxl9y0oukntPLxB3sY0vaJxizOBQ+OyR
+p1RMVwnVdmPF6GUe7m1qzwmd+nxPrWAI/VaZDxUse6mAq4xhj0oHdkLePfTdsiQz
+W7i1o0TJrH93PB0j7IKppuLIBkwC/qxcmZkLLxCKpvR/1Yd0DVlJRfbwcVw5Kda/
+SiOL9V8BY9KHcyi1Swr1+KuCLH5zJTIdC2MKF4EA/7Z2Xue0sUDKIbvVgFHlSFJn
+LNJhiQcND85Cd8BEc5xEUKDbEAotlRyBr+Qc5RQe8TZBAQIvfXOn3kLMTOmJDVb3
+n5HUA8ZsyY/b2BzgQJhdZpmYgG4t/wHFzstGH6wCxkPmrqKEPMVOHj1tyRRM4y5B
+u8o5vzY8KhmqQYdOpc5LMnndkEl/AgMBAAGjYzBhMB8GA1UdIwQYMBaAFJxf0Gxj
+o1+TypOYCK2Mh6UsXME3MB0GA1UdDgQWBBScX9BsY6Nfk8qTmAitjIelLFzBNzAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEATh65isagmD9uw2nAalxJUqzLK114OMHVVISfk/CHGT0sZonrDUL8zPB1hT+L
+9IBdeeUXZ701guLyPI59WzbLWoAAKfLOKyzxj6ptBZNscsdW699QIyjlRRA96Gej
+rw5VD5AJYu9LWaL2U/HANeQvwSS9eS9OICI7/RogsKQOLHDtdD+4E5UGUcjohybK
+pFtqFiGS3XNgnhAY3jyB6ugYw3yJ8otQPr0R4hUDqDZ9MwFsSBXXiJCZBMXM5gf0
+vPSQ7RPi6ovDj6MzD8EpTBNO2hVWcXNyglD2mjN8orGoGjR0ZVzO0eurU+AagNjq
+OknkJjCb5RyKqKkVMoaZkgoQI1YS4PbOTOK7vtuNknMBZi9iPrJyJ0U27U1W45eZ
+/zo1PqVUSlJZS2Db7v54EX9K3BR5YLZrZAPbFYPhor72I5dQ8AkzNqdxliXzuUJ9
+2zg/LFis6ELhDtjTO0wugumDLmsx2d1Hhk9tl5EuT+IocTUW0fJz/iUrB0ckYyfI
++PbZa/wSMVYIwFNCr5zQM378BvAxRAMU8Vjq8moNqRGyg77FGr8H6lnco4g175x2
+MjxNBiLOFeXdntiP2t7SxDnlF4HPOEfrf4htWRvfn0IUrn7PqLBmZdo3r5+qPeoo
+tt7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
index 6e7823d4b81f..7c971e1229a2 100644
--- a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
+++ b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/AffirmTrust_Commercial.pem b/secure/caroot/trusted/AffirmTrust_Commercial.pem
index e0a8ebdf12e1..282d1a5dcf6f 100644
--- a/secure/caroot/trusted/AffirmTrust_Commercial.pem
+++ b/secure/caroot/trusted/AffirmTrust_Commercial.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/AffirmTrust_Networking.pem b/secure/caroot/trusted/AffirmTrust_Networking.pem
index a96b036f4153..830cf3f0c3c2 100644
--- a/secure/caroot/trusted/AffirmTrust_Networking.pem
+++ b/secure/caroot/trusted/AffirmTrust_Networking.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/AffirmTrust_Premium.pem b/secure/caroot/trusted/AffirmTrust_Premium.pem
index ee259e197476..725747aafdaf 100644
--- a/secure/caroot/trusted/AffirmTrust_Premium.pem
+++ b/secure/caroot/trusted/AffirmTrust_Premium.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
index 5f600162a941..6fe75939863e 100644
--- a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
+++ b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_1.pem b/secure/caroot/trusted/Amazon_Root_CA_1.pem
index 9221de0cea44..2aca2eee3e9b 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_1.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_1.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_2.pem b/secure/caroot/trusted/Amazon_Root_CA_2.pem
index 418ffc0b8de0..95ca81db30bb 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_2.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_2.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
## @generated
##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_3.pem b/secure/caroot/trusted/Amazon_Root_CA_3.pem
index 36ff13dc4708..294f7dc8f0b6 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_3.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_3.pem
@@ -5,8 +5,10 @@
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
+## It contains a certificate trusted for server authentication.
+##
## Extracted from nss
-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+## with $FreeBSD$
##
*** 2334 LINES SKIPPED ***