ca_root_nss and MD5 root certs

Michael Gmelin freebsd at
Sun Mar 29 13:54:26 UTC 2015

I noticed that recent versions of ca_root_nss removed root certificates
that use an MD5 signature hash.

Even though I think is is the Right Thing(tm) to do, it leads to
problems when talking to systems that use certificates signed by one of
those root CAs. Unfortunately there seem to be a lot of systems out
there that rely on such a certificate, especially this one:

2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c)
 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
   cc/OU=Certification Services Division/CN=Thawte Premium Server
   CA/emailAddress=premium-server at

These sites still work in Chrome, I'm not certain what they're doing to

It's a bit problematic, as updating ca_root_nss effectively cuts one
off other systems and APIs.

Is there any recommended workaround (other than manually adding the
root and locking the package)?


Michael Gmelin

More information about the freebsd-ports mailing list