git: 534d1019aa53 - stable/12 - caroot: cumulative cert update

Sat Sep 4 07:39:33 UTC 2021

The branch stable/12 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=534d1019aa53e2ee3ce673d58cabe4a8ca85ee35

commit 534d1019aa53e2ee3ce673d58cabe4a8ca85ee35
Author:     Kyle Evans <kevans at FreeBSD.org>
AuthorDate: 2021-03-30 02:56:40 +0000
Commit:     Kyle Evans <kevans at FreeBSD.org>
CommitDate: 2021-09-04 07:39:03 +0000

    caroot: cumulative cert update
    
    This adds a note in all existing certs that they are explicitly trusted
    for server auth, and also:
    
    - Seven (7) added
    - Nineteen (19) removed
    
    (cherry picked from commit 446169e0b6f04b96960540784539c218f5a14c86)
    (cherry picked from commit 3016c5c2bf68d8c6ebf303939f20092478e7a4ca)
    (cherry picked from commit fac832b27105d926d9f8728d7147adb547b937d8)
    (cherry picked from commit 76461921dac18b300489e326ba3df61d2809f364)
---
 .../Camerfirma_Chambers_of_Commerce_Root.pem       |   0
 .../Camerfirma_Global_Chambersign_Root.pem         |   0
 .../{trusted => blacklisted}/Certum_Root_CA.pem    |   0
 .../Chambers_of_Commerce_Root_-_2008.pem           |   0
 .../D-TRUST_Root_CA_3_2013.pem                     |   0
 secure/caroot/{trusted => blacklisted}/EC-ACC.pem  |   0
 ...oTrust_Primary_Certification_Authority_-_G2.pem |   0
 .../Global_Chambersign_Root_-_2008.pem             |   0
 .../OISTE_WISeKey_Global_Root_GA_CA.pem            |   0
 .../{trusted => blacklisted}/QuoVadis_Root_CA.pem  |   2 +
 .../Sonera_Class_2_Root_CA.pem                     |   2 +
 .../Staat_der_Nederlanden_Root_CA_-_G3.pem         |   0
 .../SwissSign_Platinum_CA_-_G2.pem                 |   0
 ...Public_Primary_Certification_Authority_-_G6.pem |   0
 ...Public_Primary_Certification_Authority_-_G6.pem |   0
 .../Trustis_FPS_Root_CA.pem                        |   0
 ...Sign_Universal_Root_Certification_Authority.pem |   0
 ...Public_Primary_Certification_Authority_-_G3.pem |   0
 ...Public_Primary_Certification_Authority_-_G3.pem |   0
 secure/caroot/trusted/ACCVRAIZ1.pem                |   2 +
 secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem         |   2 +
 .../AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem        |  69 ++++++++++
 .../caroot/trusted/ANF_Secure_Server_Root_CA.pem   | 139 +++++++++++++++++++++
 .../trusted/Actalis_Authentication_Root_CA.pem     |   2 +
 secure/caroot/trusted/AffirmTrust_Commercial.pem   |   2 +
 secure/caroot/trusted/AffirmTrust_Networking.pem   |   2 +
 secure/caroot/trusted/AffirmTrust_Premium.pem      |   2 +
 secure/caroot/trusted/AffirmTrust_Premium_ECC.pem  |   2 +
 secure/caroot/trusted/Amazon_Root_CA_1.pem         |   2 +
 secure/caroot/trusted/Amazon_Root_CA_2.pem         |   2 +
 secure/caroot/trusted/Amazon_Root_CA_3.pem         |   2 +
 secure/caroot/trusted/Amazon_Root_CA_4.pem         |   2 +
 secure/caroot/trusted/Atos_TrustedRoot_2011.pem    |   2 +
 ...ertificacion_Firmaprofesional_CIF_A62634068.pem |   2 +
 .../caroot/trusted/Baltimore_CyberTrust_Root.pem   |   2 +
 secure/caroot/trusted/Buypass_Class_2_Root_CA.pem  |   2 +
 secure/caroot/trusted/Buypass_Class_3_Root_CA.pem  |   2 +
 secure/caroot/trusted/CA_Disig_Root_R2.pem         |   2 +
 secure/caroot/trusted/CFCA_EV_ROOT.pem             |   2 +
 .../trusted/COMODO_Certification_Authority.pem     |   2 +
 .../trusted/COMODO_ECC_Certification_Authority.pem |   2 +
 .../trusted/COMODO_RSA_Certification_Authority.pem |   2 +
 secure/caroot/trusted/Certigna.pem                 |   2 +
 secure/caroot/trusted/Certigna_Root_CA.pem         |   2 +
 secure/caroot/trusted/Certum_EC-384_CA.pem         |  68 ++++++++++
 .../caroot/trusted/Certum_Trusted_Network_CA.pem   |   2 +
 .../caroot/trusted/Certum_Trusted_Network_CA_2.pem |   2 +
 secure/caroot/trusted/Certum_Trusted_Root_CA.pem   | 136 ++++++++++++++++++++
 secure/caroot/trusted/Comodo_AAA_Services_root.pem |   2 +
 secure/caroot/trusted/Cybertrust_Global_Root.pem   |   2 +
 .../trusted/D-TRUST_Root_Class_3_CA_2_2009.pem     |   2 +
 .../trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem  |   2 +
 secure/caroot/trusted/DST_Root_CA_X3.pem           |   2 +
 .../caroot/trusted/DigiCert_Assured_ID_Root_CA.pem |   2 +
 .../caroot/trusted/DigiCert_Assured_ID_Root_G2.pem |   2 +
 .../caroot/trusted/DigiCert_Assured_ID_Root_G3.pem |   2 +
 secure/caroot/trusted/DigiCert_Global_Root_CA.pem  |   2 +
 secure/caroot/trusted/DigiCert_Global_Root_G2.pem  |   2 +
 secure/caroot/trusted/DigiCert_Global_Root_G3.pem  |   2 +
 .../trusted/DigiCert_High_Assurance_EV_Root_CA.pem |   2 +
 secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem |   2 +
 .../trusted/E-Tugra_Certification_Authority.pem    |   2 +
 .../Entrust_Root_Certification_Authority.pem       |   2 +
 .../Entrust_Root_Certification_Authority_-_EC1.pem |   2 +
 .../Entrust_Root_Certification_Authority_-_G2.pem  |   2 +
 .../Entrust_Root_Certification_Authority_-_G4.pem  |   2 +
 .../Entrust_net_Premium_2048_Secure_Server_CA.pem  |   2 +
 secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem   |   2 +
 secure/caroot/trusted/GLOBALTRUST_2020.pem         | 138 ++++++++++++++++++++
 secure/caroot/trusted/GTS_Root_R1.pem              |   2 +
 secure/caroot/trusted/GTS_Root_R2.pem              |   2 +
 secure/caroot/trusted/GTS_Root_R3.pem              |   2 +
 secure/caroot/trusted/GTS_Root_R4.pem              |   2 +
 .../caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem |   2 +
 .../caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA.pem       |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem  |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem  |   2 +
 secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem  |   2 +
 secure/caroot/trusted/GlobalSign_Root_E46.pem      |  66 ++++++++++
 secure/caroot/trusted/GlobalSign_Root_R46.pem      | 134 ++++++++++++++++++++
 secure/caroot/trusted/Go_Daddy_Class_2_CA.pem      |   2 +
 .../Go_Daddy_Root_Certificate_Authority_-_G2.pem   |   2 +
 ...c_and_Research_Institutions_ECC_RootCA_2015.pem |   2 +
 ...demic_and_Research_Institutions_RootCA_2011.pem |   2 +
 ...demic_and_Research_Institutions_RootCA_2015.pem |   2 +
 secure/caroot/trusted/Hongkong_Post_Root_CA_1.pem  |   2 +
 secure/caroot/trusted/Hongkong_Post_Root_CA_3.pem  |   2 +
 secure/caroot/trusted/ISRG_Root_X1.pem             |   2 +
 .../trusted/IdenTrust_Commercial_Root_CA_1.pem     |   2 +
 .../trusted/IdenTrust_Public_Sector_Root_CA_1.pem  |   2 +
 secure/caroot/trusted/Izenpe_com.pem               |   2 +
 .../trusted/Microsec_e-Szigno_Root_CA_2009.pem     |   2 +
 ...crosoft_ECC_Root_Certificate_Authority_2017.pem |   2 +
 ...crosoft_RSA_Root_Certificate_Authority_2017.pem |   2 +
 .../NAVER_Global_Root_Certification_Authority.pem  |   2 +
 ...etLock_Arany__Class_Gold__F__tan__s__tv__ny.pem |   2 +
 .../Network_Solutions_Certificate_Authority.pem    |   2 +
 .../trusted/OISTE_WISeKey_Global_Root_GB_CA.pem    |   2 +
 .../trusted/OISTE_WISeKey_Global_Root_GC_CA.pem    |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_1_G3.pem    |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_2.pem       |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_2_G3.pem    |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_3.pem       |   2 +
 secure/caroot/trusted/QuoVadis_Root_CA_3_G3.pem    |   2 +
 ...SSL_com_EV_Root_Certification_Authority_ECC.pem |   2 +
 ..._com_EV_Root_Certification_Authority_RSA_R2.pem |   2 +
 .../SSL_com_Root_Certification_Authority_ECC.pem   |   2 +
 .../SSL_com_Root_Certification_Authority_RSA.pem   |   2 +
 secure/caroot/trusted/SZAFIR_ROOT_CA2.pem          |   2 +
 secure/caroot/trusted/SecureSign_RootCA11.pem      |   2 +
 secure/caroot/trusted/SecureTrust_CA.pem           |   2 +
 secure/caroot/trusted/Secure_Global_CA.pem         |   2 +
 .../trusted/Security_Communication_RootCA2.pem     |   2 +
 .../trusted/Security_Communication_Root_CA.pem     |   2 +
 .../trusted/Staat_der_Nederlanden_EV_Root_CA.pem   |   2 +
 secure/caroot/trusted/Starfield_Class_2_CA.pem     |   2 +
 .../Starfield_Root_Certificate_Authority_-_G2.pem  |   2 +
 ...ld_Services_Root_Certificate_Authority_-_G2.pem |   2 +
 secure/caroot/trusted/SwissSign_Gold_CA_-_G2.pem   |   2 +
 secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem |   2 +
 .../trusted/T-TeleSec_GlobalRoot_Class_2.pem       |   2 +
 .../trusted/T-TeleSec_GlobalRoot_Class_3.pem       |   2 +
 ...BITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem |   2 +
 secure/caroot/trusted/TWCA_Global_Root_CA.pem      |   2 +
 .../trusted/TWCA_Root_Certification_Authority.pem  |   2 +
 secure/caroot/trusted/TeliaSonera_Root_CA_v1.pem   |   2 +
 secure/caroot/trusted/TrustCor_ECA-1.pem           |   2 +
 secure/caroot/trusted/TrustCor_RootCert_CA-1.pem   |   2 +
 secure/caroot/trusted/TrustCor_RootCert_CA-2.pem   |   2 +
 .../Trustwave_Global_Certification_Authority.pem   |   2 +
 ...ave_Global_ECC_P256_Certification_Authority.pem |   2 +
 ...ave_Global_ECC_P384_Certification_Authority.pem |   2 +
 .../trusted/UCA_Extended_Validation_Root.pem       |   2 +
 secure/caroot/trusted/UCA_Global_G2_Root.pem       |   2 +
 .../USERTrust_ECC_Certification_Authority.pem      |   2 +
 .../USERTrust_RSA_Certification_Authority.pem      |   2 +
 secure/caroot/trusted/XRamp_Global_CA_Root.pem     |   2 +
 secure/caroot/trusted/certSIGN_ROOT_CA.pem         |   2 +
 secure/caroot/trusted/certSIGN_Root_CA_G2.pem      |   2 +
 secure/caroot/trusted/e-Szigno_Root_CA_2017.pem    |   2 +
 .../trusted/ePKI_Root_Certification_Authority.pem  |   2 +
 secure/caroot/trusted/emSign_ECC_Root_CA_-_C3.pem  |   2 +
 secure/caroot/trusted/emSign_ECC_Root_CA_-_G3.pem  |   2 +
 secure/caroot/trusted/emSign_Root_CA_-_C1.pem      |   2 +
 secure/caroot/trusted/emSign_Root_CA_-_G1.pem      |   2 +
 146 files changed, 994 insertions(+)

diff --git a/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
similarity index 100%
rename from secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem
rename to secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
diff --git a/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
similarity index 100%
rename from secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem
rename to secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
diff --git a/secure/caroot/trusted/Certum_Root_CA.pem b/secure/caroot/blacklisted/Certum_Root_CA.pem
similarity index 100%
rename from secure/caroot/trusted/Certum_Root_CA.pem
rename to secure/caroot/blacklisted/Certum_Root_CA.pem
diff --git a/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
similarity index 100%
rename from secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem
rename to secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
diff --git a/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
similarity index 100%
rename from secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem
rename to secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
diff --git a/secure/caroot/trusted/EC-ACC.pem b/secure/caroot/blacklisted/EC-ACC.pem
similarity index 100%
rename from secure/caroot/trusted/EC-ACC.pem
rename to secure/caroot/blacklisted/EC-ACC.pem
diff --git a/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
similarity index 100%
rename from secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
rename to secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
diff --git a/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
similarity index 100%
rename from secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem
rename to secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
diff --git a/secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
similarity index 100%
rename from secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem
rename to secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
diff --git a/secure/caroot/trusted/QuoVadis_Root_CA.pem b/secure/caroot/blacklisted/QuoVadis_Root_CA.pem
similarity index 98%
rename from secure/caroot/trusted/QuoVadis_Root_CA.pem
rename to secure/caroot/blacklisted/QuoVadis_Root_CA.pem
index 3619cd0cbd03..25e6300f5231 100644
--- a/secure/caroot/trusted/QuoVadis_Root_CA.pem
+++ b/secure/caroot/blacklisted/QuoVadis_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Sonera_Class_2_Root_CA.pem b/secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
similarity index 98%
rename from secure/caroot/trusted/Sonera_Class_2_Root_CA.pem
rename to secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
index 7b38ef463d6a..b23c237e319f 100644
--- a/secure/caroot/trusted/Sonera_Class_2_Root_CA.pem
+++ b/secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
similarity index 100%
rename from secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
rename to secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
diff --git a/secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
similarity index 100%
rename from secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem
rename to secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
diff --git a/secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
similarity index 100%
rename from secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
similarity index 100%
rename from secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/trusted/Trustis_FPS_Root_CA.pem b/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
similarity index 100%
rename from secure/caroot/trusted/Trustis_FPS_Root_CA.pem
rename to secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
diff --git a/secure/caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
similarity index 100%
rename from secure/caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem
rename to secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
diff --git a/secure/caroot/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/trusted/ACCVRAIZ1.pem b/secure/caroot/trusted/ACCVRAIZ1.pem
index 0c7c7c41b57d..1c96e53b8f17 100644
--- a/secure/caroot/trusted/ACCVRAIZ1.pem
+++ b/secure/caroot/trusted/ACCVRAIZ1.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
index 579f50d8d730..6a64be5ce138 100644
--- a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
+++ b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
new file mode 100644
index 000000000000..71ee49574e84
--- /dev/null
+++ b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
@@ -0,0 +1,69 @@
+##
+##  AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  It contains a certificate trusted for server authentication.
+##
+##  Extracted from nss
+##  with $FreeBSD$
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            62:f6:32:6c:e5:c4:e3:68:5c:1b:62:dd:9c:2e:9d:95
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+        Validity
+            Not Before: Dec 20 09:37:33 2018 GMT
+            Not After : Dec 20 09:37:33 2043 GMT
+        Subject: C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:f6:ba:57:53:c8:ca:ab:df:36:4a:52:21:e4:97:
+                    d2:83:67:9e:f0:65:51:d0:5e:87:c7:47:b1:59:f2:
+                    57:47:9b:00:02:93:44:17:69:db:42:c7:b1:b2:3a:
+                    18:0e:b4:5d:8c:b3:66:5d:a1:34:f9:36:2c:49:db:
+                    f3:46:fc:b3:44:69:44:13:66:fd:d7:c5:fd:af:36:
+                    4d:ce:03:4d:07:71:cf:af:6a:05:d2:a2:43:5a:0a:
+                    52:6f:01:03:4e:8e:8b
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                01:B9:2F:EF:BF:11:86:60:F2:4F:D0:41:6E:AB:73:1F:E7:D2:6E:49
+    Signature Algorithm: ecdsa-with-SHA384
+         30:66:02:31:00:ae:4a:e3:2b:40:c3:74:11:f2:95:ad:16:23:
+         de:4e:0c:1a:e6:5d:a5:24:5e:6b:44:7b:fc:38:e2:4f:cb:9c:
+         45:17:11:4c:14:27:26:55:39:75:4a:03:cc:13:90:9f:92:02:
+         31:00:fa:4a:6c:60:88:73:f3:ee:b8:98:62:a9:ce:2b:c2:d9:
+         8a:a6:70:31:1d:af:b0:94:4c:eb:4f:c6:e3:d1:f3:62:a7:3c:
+         ff:93:2e:07:5c:49:01:67:69:12:02:72:bf:e7
+SHA1 Fingerprint=62:FF:D9:9E:C0:65:0D:03:CE:75:93:D2:ED:3F:2D:32:C9:E3:E5:4A
+-----BEGIN CERTIFICATE-----
+MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw
+CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw
+FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S
+Q00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5
+MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL
+DAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS
+QUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH
+sbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK
+Um8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
+VR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu
+SuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC
+MQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy
+v+c=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem b/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem
new file mode 100644
index 000000000000..6114a5ccdb2d
--- /dev/null
+++ b/secure/caroot/trusted/ANF_Secure_Server_Root_CA.pem
@@ -0,0 +1,139 @@
+##
+##  ANF Secure Server Root CA
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  It contains a certificate trusted for server authentication.
+##
+##  Extracted from nss
+##  with $FreeBSD$
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 996390341000653745 (0xdd3e3bc6cf96bb1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA
+        Validity
+            Not Before: Sep  4 10:00:38 2019 GMT
+            Not After : Aug 30 10:00:38 2039 GMT
+        Subject: serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:db:eb:6b:2b:e6:64:54:95:82:90:a3:72:a4:19:
+                    01:9d:9c:0b:81:5f:73:49:ba:a7:ac:f3:04:4e:7b:
+                    96:0b:ec:11:e0:5b:a6:1c:ce:1b:d2:0d:83:1c:2b:
+                    b8:9e:1d:7e:45:32:60:0f:07:e9:77:58:7e:9f:6a:
+                    c8:61:4e:b6:26:c1:4c:8d:ff:4c:ef:34:b2:1f:65:
+                    d8:b9:78:f5:ad:a9:71:b9:ef:4f:58:1d:a5:de:74:
+                    20:97:a1:ed:68:4c:de:92:17:4b:bc:ab:ff:65:9a:
+                    9e:fb:47:d9:57:72:f3:09:a1:ae:76:44:13:6e:9c:
+                    2d:44:39:bc:f9:c7:3b:a4:58:3d:41:bd:b4:c2:49:
+                    a3:c8:0d:d2:97:2f:07:65:52:00:a7:6e:c8:af:68:
+                    ec:f4:14:96:b6:57:1f:56:c3:39:9f:2b:6d:e4:f3:
+                    3e:f6:35:64:da:0c:1c:a1:84:4b:2f:4b:4b:e2:2c:
+                    24:9d:6d:93:40:eb:b5:23:8e:32:ca:6f:45:d3:a8:
+                    89:7b:1e:cf:1e:fa:5b:43:8b:cd:cd:a8:0f:6a:ca:
+                    0c:5e:b9:9e:47:8f:f0:d9:b6:0a:0b:58:65:17:33:
+                    b9:23:e4:77:19:7d:cb:4a:2e:92:7b:4f:2f:10:77:
+                    b1:8d:2f:68:9c:62:cc:e0:50:f8:ec:91:a7:54:4c:
+                    57:09:d5:76:63:c5:e8:65:1e:ee:6d:6a:cf:09:9d:
+                    fa:7c:4f:ad:60:08:fd:56:99:0f:15:2c:7b:a9:80:
+                    ab:8c:61:8f:4a:07:76:42:de:3d:f4:dd:b2:24:33:
+                    5b:b8:b5:a3:44:c9:ac:7f:77:3c:1d:23:ec:82:a9:
+                    a6:e2:c8:06:4c:02:fe:ac:5c:99:99:0b:2f:10:8a:
+                    a6:f4:7f:d5:87:74:0d:59:49:45:f6:f0:71:5c:39:
+                    29:d6:bf:4a:23:8b:f5:5f:01:63:d2:87:73:28:b5:
+                    4b:0a:f5:f8:ab:82:2c:7e:73:25:32:1d:0b:63:0a:
+                    17:81:00:ff:b6:76:5e:e7:b4:b1:40:ca:21:bb:d5:
+                    80:51:e5:48:52:67:2c:d2:61:89:07:0d:0f:ce:42:
+                    77:c0:44:73:9c:44:50:a0:db:10:0a:2d:95:1c:81:
+                    af:e4:1c:e5:14:1e:f1:36:41:01:02:2f:7d:73:a7:
+                    de:42:cc:4c:e9:89:0d:56:f7:9f:91:d4:03:c6:6c:
+                    c9:8f:db:d8:1c:e0:40:98:5d:66:99:98:80:6e:2d:
+                    ff:01:c5:ce:cb:46:1f:ac:02:c6:43:e6:ae:a2:84:
+                    3c:c5:4e:1e:3d:6d:c9:14:4c:e3:2e:41:bb:ca:39:
+                    bf:36:3c:2a:19:aa:41:87:4e:a5:ce:4b:32:79:dd:
+                    90:49:7f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37
+
+            X509v3 Subject Key Identifier: 
+                9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         4e:1e:b9:8a:c6:a0:98:3f:6e:c3:69:c0:6a:5c:49:52:ac:cb:
+         2b:5d:78:38:c1:d5:54:84:9f:93:f0:87:19:3d:2c:66:89:eb:
+         0d:42:fc:cc:f0:75:85:3f:8b:f4:80:5d:79:e5:17:67:bd:35:
+         82:e2:f2:3c:8e:7d:5b:36:cb:5a:80:00:29:f2:ce:2b:2c:f1:
+         8f:aa:6d:05:93:6c:72:c7:56:eb:df:50:23:28:e5:45:10:3d:
+         e8:67:a3:af:0e:55:0f:90:09:62:ef:4b:59:a2:f6:53:f1:c0:
+         35:e4:2f:c1:24:bd:79:2f:4e:20:22:3b:fd:1a:20:b0:a4:0e:
+         2c:70:ed:74:3f:b8:13:95:06:51:c8:e8:87:26:ca:a4:5b:6a:
+         16:21:92:dd:73:60:9e:10:18:de:3c:81:ea:e8:18:c3:7c:89:
+         f2:8b:50:3e:bd:11:e2:15:03:a8:36:7d:33:01:6c:48:15:d7:
+         88:90:99:04:c5:cc:e6:07:f4:bc:f4:90:ed:13:e2:ea:8b:c3:
+         8f:a3:33:0f:c1:29:4c:13:4e:da:15:56:71:73:72:82:50:f6:
+         9a:33:7c:a2:b1:a8:1a:34:74:65:5c:ce:d1:eb:ab:53:e0:1a:
+         80:d8:ea:3a:49:e4:26:30:9b:e5:1c:8a:a8:a9:15:32:86:99:
+         92:0a:10:23:56:12:e0:f6:ce:4c:e2:bb:be:db:8d:92:73:01:
+         66:2f:62:3e:b2:72:27:45:36:ed:4d:56:e3:97:99:ff:3a:35:
+         3e:a5:54:4a:52:59:4b:60:db:ee:fe:78:11:7f:4a:dc:14:79:
+         60:b6:6b:64:03:db:15:83:e1:a2:be:f6:23:97:50:f0:09:33:
+         36:a7:71:96:25:f3:b9:42:7d:db:38:3f:2c:58:ac:e8:42:e1:
+         0e:d8:d3:3b:4c:2e:82:e9:83:2e:6b:31:d9:dd:47:86:4f:6d:
+         97:91:2e:4f:e2:28:71:35:16:d1:f2:73:fe:25:2b:07:47:24:
+         63:27:c8:f8:f6:d9:6b:fc:12:31:56:08:c0:53:42:af:9c:d0:
+         33:7e:fc:06:f0:31:44:03:14:f1:58:ea:f2:6a:0d:a9:11:b2:
+         83:be:c5:1a:bf:07:ea:59:dc:a3:88:35:ef:9c:76:32:3c:4d:
+         06:22:ce:15:e5:dd:9e:d8:8f:da:de:d2:c4:39:e5:17:81:cf:
+         38:47:eb:7f:88:6d:59:1b:df:9f:42:14:ae:7e:cf:a8:b0:66:
+         65:da:37:af:9f:aa:3d:ea:28:b6:de:d5:31:58:16:82:5b:ea:
+         bb:19:75:02:73:1a:ca:48:1a:21:93:90:0a:8e:93:84:a7:7d:
+         3b:23:18:92:89:a0:8d:ac
+SHA1 Fingerprint=5B:6E:68:D0:CC:15:B6:A0:5F:1E:C1:5F:AE:02:FC:6B:2F:5D:6F:74
+-----BEGIN CERTIFICATE-----
+MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNV
+BAUTCUc2MzI4NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlk
+YWQgZGUgQ2VydGlmaWNhY2lvbjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNV
+BAMTGUFORiBTZWN1cmUgU2VydmVyIFJvb3QgQ0EwHhcNMTkwOTA0MTAwMDM4WhcN
+MzkwODMwMTAwMDM4WjCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF
+UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYD
+VQQLEwtBTkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9v
+dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvrayvmZFSVgpCj
+cqQZAZ2cC4Ffc0m6p6zzBE57lgvsEeBbphzOG9INgxwruJ4dfkUyYA8H6XdYfp9q
+yGFOtibBTI3/TO80sh9l2Ll49a2pcbnvT1gdpd50IJeh7WhM3pIXS7yr/2WanvtH
+2Vdy8wmhrnZEE26cLUQ5vPnHO6RYPUG9tMJJo8gN0pcvB2VSAKduyK9o7PQUlrZX
+H1bDOZ8rbeTzPvY1ZNoMHKGESy9LS+IsJJ1tk0DrtSOOMspvRdOoiXsezx76W0OL
+zc2oD2rKDF65nkeP8Nm2CgtYZRczuSPkdxl9y0oukntPLxB3sY0vaJxizOBQ+OyR
+p1RMVwnVdmPF6GUe7m1qzwmd+nxPrWAI/VaZDxUse6mAq4xhj0oHdkLePfTdsiQz
+W7i1o0TJrH93PB0j7IKppuLIBkwC/qxcmZkLLxCKpvR/1Yd0DVlJRfbwcVw5Kda/
+SiOL9V8BY9KHcyi1Swr1+KuCLH5zJTIdC2MKF4EA/7Z2Xue0sUDKIbvVgFHlSFJn
+LNJhiQcND85Cd8BEc5xEUKDbEAotlRyBr+Qc5RQe8TZBAQIvfXOn3kLMTOmJDVb3
+n5HUA8ZsyY/b2BzgQJhdZpmYgG4t/wHFzstGH6wCxkPmrqKEPMVOHj1tyRRM4y5B
+u8o5vzY8KhmqQYdOpc5LMnndkEl/AgMBAAGjYzBhMB8GA1UdIwQYMBaAFJxf0Gxj
+o1+TypOYCK2Mh6UsXME3MB0GA1UdDgQWBBScX9BsY6Nfk8qTmAitjIelLFzBNzAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEATh65isagmD9uw2nAalxJUqzLK114OMHVVISfk/CHGT0sZonrDUL8zPB1hT+L
+9IBdeeUXZ701guLyPI59WzbLWoAAKfLOKyzxj6ptBZNscsdW699QIyjlRRA96Gej
+rw5VD5AJYu9LWaL2U/HANeQvwSS9eS9OICI7/RogsKQOLHDtdD+4E5UGUcjohybK
+pFtqFiGS3XNgnhAY3jyB6ugYw3yJ8otQPr0R4hUDqDZ9MwFsSBXXiJCZBMXM5gf0
+vPSQ7RPi6ovDj6MzD8EpTBNO2hVWcXNyglD2mjN8orGoGjR0ZVzO0eurU+AagNjq
+OknkJjCb5RyKqKkVMoaZkgoQI1YS4PbOTOK7vtuNknMBZi9iPrJyJ0U27U1W45eZ
+/zo1PqVUSlJZS2Db7v54EX9K3BR5YLZrZAPbFYPhor72I5dQ8AkzNqdxliXzuUJ9
+2zg/LFis6ELhDtjTO0wugumDLmsx2d1Hhk9tl5EuT+IocTUW0fJz/iUrB0ckYyfI
++PbZa/wSMVYIwFNCr5zQM378BvAxRAMU8Vjq8moNqRGyg77FGr8H6lnco4g175x2
+MjxNBiLOFeXdntiP2t7SxDnlF4HPOEfrf4htWRvfn0IUrn7PqLBmZdo3r5+qPeoo
+tt7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
index 7248545350e2..7c971e1229a2 100644
--- a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
+++ b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Commercial.pem b/secure/caroot/trusted/AffirmTrust_Commercial.pem
index 1d85c32853c8..282d1a5dcf6f 100644
--- a/secure/caroot/trusted/AffirmTrust_Commercial.pem
+++ b/secure/caroot/trusted/AffirmTrust_Commercial.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Networking.pem b/secure/caroot/trusted/AffirmTrust_Networking.pem
index 222bde26c934..830cf3f0c3c2 100644
--- a/secure/caroot/trusted/AffirmTrust_Networking.pem
+++ b/secure/caroot/trusted/AffirmTrust_Networking.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Premium.pem b/secure/caroot/trusted/AffirmTrust_Premium.pem
index dc1447429465..725747aafdaf 100644
--- a/secure/caroot/trusted/AffirmTrust_Premium.pem
+++ b/secure/caroot/trusted/AffirmTrust_Premium.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
index a6f01409a2ef..6fe75939863e 100644
--- a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
+++ b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_1.pem b/secure/caroot/trusted/Amazon_Root_CA_1.pem
index 6bf1acafd4c7..2aca2eee3e9b 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_1.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_1.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_2.pem b/secure/caroot/trusted/Amazon_Root_CA_2.pem
index 80a1eb66bee2..95ca81db30bb 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_2.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_2.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_3.pem b/secure/caroot/trusted/Amazon_Root_CA_3.pem
index 6b61b3e18fa0..294f7dc8f0b6 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_3.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_3.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Amazon_Root_CA_4.pem b/secure/caroot/trusted/Amazon_Root_CA_4.pem
index df7aa6f1c165..649917b9638a 100644
--- a/secure/caroot/trusted/Amazon_Root_CA_4.pem
+++ b/secure/caroot/trusted/Amazon_Root_CA_4.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Atos_TrustedRoot_2011.pem b/secure/caroot/trusted/Atos_TrustedRoot_2011.pem
index 21b229561733..7058d3fb6edf 100644
--- a/secure/caroot/trusted/Atos_TrustedRoot_2011.pem
+++ b/secure/caroot/trusted/Atos_TrustedRoot_2011.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem b/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
index 4d2eaa61962f..db4f44195dbd 100644
--- a/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
+++ b/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem b/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem
index 3dc1de849346..0f356d59962f 100644
--- a/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem
+++ b/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem b/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem
index dc2c86edbed1..0168f641fd42 100644
--- a/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem
+++ b/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem b/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem
index fda39f8731d1..7ae24799e638 100644
--- a/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem
+++ b/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/CA_Disig_Root_R2.pem b/secure/caroot/trusted/CA_Disig_Root_R2.pem
index 0ecc9d1ee08d..0dda6d97e2aa 100644
--- a/secure/caroot/trusted/CA_Disig_Root_R2.pem
+++ b/secure/caroot/trusted/CA_Disig_Root_R2.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/CFCA_EV_ROOT.pem b/secure/caroot/trusted/CFCA_EV_ROOT.pem
index 7eb37baa3bed..722499b9ed42 100644
--- a/secure/caroot/trusted/CFCA_EV_ROOT.pem
+++ b/secure/caroot/trusted/CFCA_EV_ROOT.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/COMODO_Certification_Authority.pem b/secure/caroot/trusted/COMODO_Certification_Authority.pem
index 7aa1237bb8e1..fc3e4b554cc3 100644
--- a/secure/caroot/trusted/COMODO_Certification_Authority.pem
+++ b/secure/caroot/trusted/COMODO_Certification_Authority.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem b/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem
index 215581b14fdf..5f839a858d00 100644
--- a/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem
+++ b/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem b/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem
index 38e275f1365e..7faefe98b8bf 100644
--- a/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem
+++ b/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certigna.pem b/secure/caroot/trusted/Certigna.pem
index bbcd413be511..e9104ef6c3da 100644
--- a/secure/caroot/trusted/Certigna.pem
+++ b/secure/caroot/trusted/Certigna.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certigna_Root_CA.pem b/secure/caroot/trusted/Certigna_Root_CA.pem
index c1a0286ab2a0..a0a7248b51ea 100644
--- a/secure/caroot/trusted/Certigna_Root_CA.pem
+++ b/secure/caroot/trusted/Certigna_Root_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certum_EC-384_CA.pem b/secure/caroot/trusted/Certum_EC-384_CA.pem
new file mode 100644
index 000000000000..67b5d644f809
--- /dev/null
+++ b/secure/caroot/trusted/Certum_EC-384_CA.pem
@@ -0,0 +1,68 @@
+##
+##  Certum EC-384 CA
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  It contains a certificate trusted for server authentication.
+##
+##  Extracted from nss
+##  with $FreeBSD$
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            78:8f:27:5c:81:12:52:20:a5:04:d0:2d:dd:ba:73:f4
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum EC-384 CA
+        Validity
+            Not Before: Mar 26 07:24:54 2018 GMT
+            Not After : Mar 26 07:24:54 2043 GMT
+        Subject: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum EC-384 CA
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:c4:28:8e:ab:18:5b:6a:be:6e:64:37:63:e4:cd:
+                    ec:ab:3a:f7:cc:a1:b8:0e:82:49:d7:86:29:9f:a1:
+                    94:f2:e3:60:78:98:81:78:06:4d:f2:ec:9a:0e:57:
+                    60:83:9f:b4:e6:17:2f:1a:b3:5d:02:5b:89:23:3c:
+                    c2:11:05:2a:a7:88:13:18:f3:50:84:d7:bd:34:2c:
+                    27:89:55:ff:ce:4c:e7:df:a6:1f:28:c4:f0:54:c3:
+                    b9:7c:b7:53:ad:eb:c2
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                8D:06:66:74:24:76:3A:F3:89:F7:BC:D6:BD:47:7D:2F:BC:10:5F:4B
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA384
+         30:65:02:30:03:55:2d:a6:e6:18:c4:7c:ef:c9:50:6e:c1:27:
+         0f:9c:87:af:6e:d5:1b:08:18:bd:92:29:c1:ef:94:91:78:d2:
+         3a:1c:55:89:62:e5:1b:09:1e:ba:64:6b:f1:76:b4:d4:02:31:
+         00:b4:42:84:99:ff:ab:e7:9e:fb:91:97:27:5d:dc:b0:5b:30:
+         71:ce:5e:38:1a:6a:d9:25:e7:ea:f7:61:92:56:f8:ea:da:36:
+         c2:87:65:96:2e:72:25:2f:7f:df:c3:13:c9
+SHA1 Fingerprint=F3:3E:78:3C:AC:DF:F4:A2:CC:AC:67:55:69:56:D7:E5:16:3C:E1:ED
+-----BEGIN CERTIFICATE-----
+MIICZTCCAeugAwIBAgIQeI8nXIESUiClBNAt3bpz9DAKBggqhkjOPQQDAzB0MQsw
+CQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScw
+JQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMT
+EENlcnR1bSBFQy0zODQgQ0EwHhcNMTgwMzI2MDcyNDU0WhcNNDMwMzI2MDcyNDU0
+WjB0MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBT
+LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAX
+BgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATE
+KI6rGFtqvm5kN2PkzeyrOvfMobgOgknXhimfoZTy42B4mIF4Bk3y7JoOV2CDn7Tm
+Fy8as10CW4kjPMIRBSqniBMY81CE1700LCeJVf/OTOffph8oxPBUw7l8t1Ot68Kj
+QjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI0GZnQkdjrzife81r1HfS+8
+EF9LMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNoADBlAjADVS2m5hjEfO/J
+UG7BJw+ch69u1RsIGL2SKcHvlJF40jocVYli5RsJHrpka/F2tNQCMQC0QoSZ/6vn
+nvuRlydd3LBbMHHOXjgaatkl5+r3YZJW+OraNsKHZZYuciUvf9/DE8k=
+-----END CERTIFICATE-----
diff --git a/secure/caroot/trusted/Certum_Trusted_Network_CA.pem b/secure/caroot/trusted/Certum_Trusted_Network_CA.pem
index a321445a502c..5f92008a47ab 100644
--- a/secure/caroot/trusted/Certum_Trusted_Network_CA.pem
+++ b/secure/caroot/trusted/Certum_Trusted_Network_CA.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem b/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem
index 62cee7fc2058..8dcc08c17b07 100644
--- a/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem
+++ b/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem
@@ -5,6 +5,8 @@
 ##  Authority (CA). It was automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt' in security/nss).
 ##
+##  It contains a certificate trusted for server authentication.
+##
 ##  Extracted from nss
 ##  with $FreeBSD$
 ##
diff --git a/secure/caroot/trusted/Certum_Trusted_Root_CA.pem b/secure/caroot/trusted/Certum_Trusted_Root_CA.pem
new file mode 100644
index 000000000000..d6034eb6e081
--- /dev/null
+++ b/secure/caroot/trusted/Certum_Trusted_Root_CA.pem
@@ -0,0 +1,136 @@
+##
+##  Certum Trusted Root CA
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  It contains a certificate trusted for server authentication.
+##
+##  Extracted from nss
+##  with $FreeBSD$
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1e:bf:59:50:b8:c9:80:37:4c:06:f7:eb:55:4f:b5:ed
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA
+        Validity
+            Not Before: Mar 16 12:10:13 2018 GMT
+            Not After : Mar 16 12:10:13 2043 GMT
+        Subject: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:d1:2d:8e:bb:b7:36:ea:6d:37:91:9f:4e:93:a7:
+                    05:e4:29:03:25:ce:1c:82:f7:7c:99:9f:41:06:cd:
+                    ed:a3:ba:c0:db:09:2c:c1:7c:df:29:7e:4b:65:2f:
+                    93:a7:d4:01:6b:03:28:18:a3:d8:9d:05:c1:2a:d8:
+                    45:f1:91:de:df:3b:d0:80:02:8c:cf:38:0f:ea:a7:
+                    5c:78:11:a4:c1:c8:85:5c:25:d3:d3:b2:e7:25:cf:
+                    11:54:97:ab:35:c0:1e:76:1c:ef:00:53:9f:39:dc:
+                    14:a5:2c:22:25:b3:72:72:fc:8d:b3:e5:3e:08:1e:
+                    14:2a:37:0b:88:3c:ca:b0:f4:c8:c2:a1:ae:bc:c1:
+                    be:29:67:55:e2:fc:ad:59:5c:fe:bd:57:2c:b0:90:
+                    8d:c2:ed:37:b6:7c:99:88:b5:d5:03:9a:3d:15:0d:
+                    3d:3a:a8:a8:45:f0:95:4e:25:59:1d:cd:98:69:bb:
+                    d3:cc:32:c9:8d:ef:81:fe:ad:7d:89:bb:ba:60:13:
+                    ca:65:95:67:a0:f3:19:f6:03:56:d4:6a:d3:27:e2:
+                    a1:ad:83:f0:4a:12:22:77:1c:05:73:e2:19:71:42:
+                    c0:ec:75:46:9a:90:58:e0:6a:8e:2b:a5:46:30:04:
+                    8e:19:b2:17:e3:be:a9:ba:7f:56:f1:24:03:d7:b2:
+                    21:28:76:0e:36:30:4c:79:d5:41:9a:9a:a8:b8:35:
+                    ba:0c:3a:f2:44:1b:20:88:f7:c5:25:d7:3d:c6:e3:
+                    3e:43:dd:87:fe:c4:ea:f5:53:3e:4c:65:ff:3b:4a:
+                    cb:78:5a:6b:17:5f:0d:c7:c3:4f:4e:9a:2a:a2:ed:
+                    57:4d:22:e2:46:9a:3f:0f:91:34:24:7d:55:e3:8c:
+                    95:37:d3:1a:f0:09:2b:2c:d2:c9:8d:b4:0d:00:ab:
+                    67:29:28:d8:01:f5:19:04:b6:1d:be:76:fe:72:5c:
+                    c4:85:ca:d2:80:41:df:05:a8:a3:d5:84:90:4f:0b:
+                    f3:e0:3f:9b:19:d2:37:89:3f:f2:7b:52:1c:8c:f6:
+                    e1:f7:3c:07:97:8c:0e:a2:59:81:0c:b2:90:3d:d3:
+                    e3:59:46:ed:0f:a9:a7:de:80:6b:5a:aa:07:b6:19:
+                    cb:bc:57:f3:97:21:7a:0c:b1:2b:74:3e:eb:da:a7:
+                    67:2d:4c:c4:98:9e:36:09:76:66:66:fc:1a:3f:ea:
+                    48:54:1c:be:30:bd:80:50:bf:7c:b5:ce:00:f6:0c:
+                    61:d9:e7:24:03:e0:e3:01:81:0e:bd:d8:85:34:88:
+                    bd:b2:36:a8:7b:5c:08:e5:44:80:8c:6f:f8:2f:d5:
+                    21:ca:1d:1c:d0:fb:c4:b5:87:d1:3a:4e:c7:76:b5:
+                    35:48:b5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                8C:FB:1C:75:BC:02:D3:9F:4E:2E:48:D9:F9:60:54:AA:C4:B3:4F:FA
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha512WithRSAEncryption
+         48:a2:d5:00:0b:2e:d0:3f:bc:1c:d5:b5:54:49:1e:5a:6b:f4:
+         e4:f2:e0:40:37:e0:cc:14:7b:b9:c9:fa:35:b5:75:17:93:6a:
+         05:69:85:9c:cd:4f:19:78:5b:19:81:f3:63:3e:c3:ce:5b:8f:
+         f5:2f:5e:01:76:13:3f:2c:00:b9:cd:96:52:39:49:6d:04:4e:
+         c5:e9:0f:86:0d:e1:fa:b3:5f:82:12:f1:3a:ce:66:06:24:34:
+         2b:e8:cc:ca:e7:69:dc:87:9d:c2:34:d7:79:d1:d3:77:b8:aa:
+         59:58:fe:9d:26:fa:38:86:3e:9d:8a:87:64:57:e5:17:3a:e2:
+         f9:8d:b9:e3:33:78:c1:90:d8:b8:dd:b7:83:51:e4:c4:cc:23:
+         d5:06:7c:e6:51:d3:cd:34:31:c0:f6:46:bb:0b:ad:fc:3d:10:
+         05:2a:3b:4a:91:25:ee:8c:d4:84:87:80:2a:bc:09:8c:aa:3a:
+         13:5f:e8:34:79:50:c1:10:19:f9:d3:28:1e:d4:d1:51:30:29:
+         b3:ae:90:67:d6:1f:0a:63:b1:c5:a9:c6:42:31:63:17:94:ef:
+         69:cb:2f:fa:8c:14:7d:c4:43:18:89:d9:f0:32:40:e6:80:e2:
+         46:5f:e5:e3:c1:00:59:a8:f9:e8:20:bc:89:2c:0e:47:34:0b:
+         ea:57:c2:53:36:fc:a7:d4:af:31:cd:fe:02:e5:75:fa:b9:27:
+         09:f9:f3:f5:3b:ca:7d:9f:a9:22:cb:88:c9:aa:d1:47:3d:36:
+         77:a8:59:64:6b:27:cf:ef:27:c1:e3:24:b5:86:f7:ae:7e:32:
+         4d:b0:79:68:d1:39:e8:90:58:c3:83:bc:0f:2c:d6:97:eb:ce:
*** 1636 LINES SKIPPED ***
