{
	"id": "7c2a57e5-7691-4912-bbf7-f39db31d4111",
	"created_at": "2026-04-06T00:08:25.630799Z",
	"updated_at": "2026-04-10T13:12:05.545615Z",
	"deleted_at": null,
	"sha1_hash": "baa5248784cbd6706c7cd9cd57b56928a789c035",
	"title": "Root certificate",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 162009,
	"plain_text": "Root certificate\r\nBy Contributors to Wikimedia projects\r\nPublished: 2003-08-14 · Archived: 2026-04-05 17:25:50 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nThe role of root certificate as in the chain of trust.\r\nIn cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate\r\nauthority (CA).[1] Root certificates are self-signed (and it is possible for a certificate to have multiple trust paths,\r\nsay if the certificate was issued by a root that was cross-signed) and form the basis of an X.509-based public key\r\ninfrastructure (PKI). Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases\r\nthere is no Authority Key identifier, then Issuer string should match with Subject string (RFC 5280). For instance,\r\nthe PKIs supporting HTTPS[2] for secure web browsing and electronic signature schemes depend on a set of root\r\ncertificates.\r\nA certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key which is used to \"sign\" other certificates. All certificates signed by the\r\nroot certificate, with the \"CA\" field set to true, inherit the trustworthiness of the root certificate—a signature by a\r\nroot certificate is somewhat analogous to \"notarizing\" identity in the physical world. Such a certificate is called an\r\nintermediate certificate or subordinate CA certificate. Certificates further down the tree also depend on the\r\ntrustworthiness of the intermediates.\r\nThe root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure\r\nphysical distribution. For example, some of the best-known root certificates are distributed in operating systems\r\nby their manufacturers. Microsoft distributes root certificates belonging to members of the Microsoft Root\r\nCertificate Program to Windows desktops and Windows Phone 8.\r\n[2]\r\n Apple distributes root certificates belonging\r\nto members of its own root program.\r\nIncidents of root certificate misuse\r\nhttps://en.wikipedia.org/wiki/Root_certificate\r\nPage 1 of 3\n\n[edit]\r\nDigiNotar hack of 2011\r\n[edit]\r\nIn 2011, the Dutch certificate authority DigiNotar suffered a security breach. This led to the issuing of various\r\nfraudulent certificates, which was among others abused to target Iranian Gmail users. The trust in DigiNotar\r\ncertificates was retracted and the operational management of the company was taken over by the Dutch\r\ngovernment.\r\nChina Internet Network Information Center (CNNIC) issuance of fake certificates\r\n[edit]\r\nExample of a DigiCert root certificate\r\nIn 2009, an employee of the China Internet Network Information Center (CNNIC) applied to Mozilla to add\r\nCNNIC to Mozilla's root certificate list[3] and was approved. Later, Microsoft also added CNNIC to the root\r\ncertificate list of Windows.\r\nIn 2015, many users chose not to trust the digital certificates issued by CNNIC because an intermediate CA issued\r\nby CNNIC was found to have issued fake certificates for Google domain names[4] and raised concerns about\r\nCNNIC's abuse of certificate issuing power.\r\n[5]\r\nOn April 2, 2015, Google announced that it no longer recognized the electronic certificate issued by CNNIC.[6][7]\r\n[8]\r\n On April 4, following Google, Mozilla also announced that it no longer recognized the electronic certificate\r\nissued by CNNIC.[9][10]\r\nWoSign and StartCom: Issuing fake and backdated certificates\r\n[edit]\r\nhttps://en.wikipedia.org/wiki/Root_certificate\r\nPage 2 of 3\n\nIn 2016, WoSign, China's largest CA certificate issuer owned by Qihoo 360[11]\r\n and its Israeli subsidiary StartCom,\r\nwere denied recognition of their certificates by Google. Microsoft removed the relevant certificates in 2017.[12]\r\nWoSign and StartCom issued hundreds of certificates with the same serial number in just five days, as well as\r\nissuing backdated certificates.[13] In 2016, a system administrator in Florida was able to get WoSign and StartCom\r\nto issue fake certificates for multiple GitHub domains.[14]\r\nOnline Certificate Status Protocol (OCSP)\r\nSuperfish\r\nSHA-1\r\nTimestamp\r\nVerisign\r\nGoogle and Symantec clash on website security checks\r\n1. ^ \"What Are CA Certificates?\". Microsoft TechNet. 2003-03-28.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \"Windows and Windows Phone 8 SSL Root Certificate Program (Member CAs)\".\r\nMicrosoft TechNet. October 2014.\r\n3. ^ \"476766 - Add China Internet Network Information Center (CNNIC) CA Root Certificate\".\r\nbugzilla.mozilla.org. Archived from the original on 2020-02-22. Retrieved 2020-01-03.\r\n4. ^ \"CNNIC发行的中级CA发行了Google的假证书\". solidot. 2015-03-24. Archived from the original on\r\n2015-03-26. Retrieved 2015-03-24.\r\n5. ^ \"最危险的互联网漏洞正在逼近\". Archived from the original on 2015-11-21. Retrieved 2015-03-26.\r\n6. ^ \"Google Bans China's Website Certificate Authority After Security Breach\". No. April 2, 2015. Extra\r\nCrunch.\r\n7. ^ \"谷歌不再承認中國CNNIC頒發的信任證書\". 華爾街日報. 2015-04-03. Retrieved 2015-04-03.\r\n8. ^ \"谷歌不再信任中国CNNIC 的网站信任证书\". 美國之音. 2015-04-03. Retrieved 2015-04-03.\r\n9. ^ \"Google and Mozilla decide to ban Chinese certificate authority CNNIC from Chrome and Firefox\".\r\nVentureBeat. April 2, 2015.\r\n10. ^ \"Mozilla紧随谷歌 拒绝承认中国安全证书\". 美國之音. 2015-04-04. Retrieved 2015-04-04.\r\n11. ^ \"谷歌宣布开始全面封杀使用沃通CA证书网站，信誉破产的恶果 - 超能网\". www.expreview.com.\r\nRetrieved 2020-01-03.\r\n12. ^ Microsoft Defender Security Research Team (2017-08-08). \"Microsoft to remove WoSign and StartCom\r\ncertificates in Windows 10\". Microsoft.\r\n13. ^ \"CA:WoSign Issues - MozillaWiki\". wiki.mozilla.org. Retrieved 2020-01-03.\r\n14. ^ Stephen Schrauger. \"The story of how WoSign gave me an SSL certificate for GitHub.com\".\r\nSchrauger.com.\r\nSource: https://en.wikipedia.org/wiki/Root_certificate\r\nhttps://en.wikipedia.org/wiki/Root_certificate\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Root_certificate"
	],
	"report_names": [
		"Root_certificate"
	],
	"threat_actors": [],
	"ts_created_at": 1775434105,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/baa5248784cbd6706c7cd9cd57b56928a789c035.pdf",
		"text": "https://archive.orkl.eu/baa5248784cbd6706c7cd9cd57b56928a789c035.txt",
		"img": "https://archive.orkl.eu/baa5248784cbd6706c7cd9cd57b56928a789c035.jpg"
	}
}