{"id":19362943,"url":"https://github.com/tls-inspector/rootca","last_synced_at":"2026-05-23T00:10:42.007Z","repository":{"id":64702917,"uuid":"569936834","full_name":"tls-inspector/rootca","owner":"tls-inspector","description":"Root CA Certificate Bundles","archived":false,"fork":false,"pushed_at":"2024-04-29T12:47:06.000Z","size":7014,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-04-29T13:56:59.260Z","etag":null,"topics":["certificates","pki","tls","x509"],"latest_commit_sha":null,"homepage":"https://tlsinspector.com/ca.html","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tls-inspector.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["ecnepsnai"]}},"created_at":"2022-11-24T00:48:34.000Z","updated_at":"2024-05-29T21:25:36.989Z","dependencies_parsed_at":"2023-11-29T19:35:05.592Z","dependency_job_id":"6629e662-1fa0-4ae5-ad01-3b42f0a53c59","html_url":"https://github.com/tls-inspector/rootca","commit_stats":null,"previous_names":[],"tags_count":42,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tls-inspector%2Frootca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tls-inspector%2Frootca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tls-inspector%2Frootca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tls-inspector%2Frootca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tls-inspector","download_url":"https://codeload.github.com/tls-inspector/rootca/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240483782,"owners_count":19808632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificates","pki","tls","x509"],"created_at":"2024-11-10T07:31:37.449Z","updated_at":"2025-10-07T05:39:00.855Z","avatar_url":"https://github.com/tls-inspector.png","language":"Go","funding_links":["https://github.com/sponsors/ecnepsnai"],"categories":[],"sub_categories":[],"readme":"# Root CA Certificate Stores\n\nThis repository provides collections of Root CA Certificate Stores from Apple, Google, Microsoft, and Mozilla.\nThe latest release of this repo always contains the most recent store, and is updated automatically whenever any changes\nare made.\n\nThis is provided for the TLS Inspector iOS application, but can be used by anybody within the terms of the license. The\nrepository is entirely self-contained and can be self-hosted or modified.\n\n## About\n\nThis repository contains the following components: An update utility that builds the certificate bundles, a container,\nand a GitHub workflow using that utility to check for and perform updates, and the actual certificate bundles and metadata.\n\nThe certificate bundles are packaged as PKCS#7 archives with the certificates included in the Certificate/CRL section,\nand a text file with the PEM-encoded certificates.\n\nThe primary metadata file contains the modified date of the bundle, a checksums of the bundle files, and the number of\ncertificates included. The key property is internal to the container and should be ignored by consumers of the\nbundles. Additionally, a comma-separated-value list of all certificates included in the bundles is provided for\nreference, but should not be programmatically relied upon.\n\nFor information on the update utility, see updater/README.md.\n\n### Verification\n\nBundles \u0026 Metadata are signed by an ECDSA-P256 key and have an accompanying signature file.\nThe sining public key is included in the repo and in each release.\n\nYou can verify the signature of the files using OpenSSL (using `bundle_metadata.json` as an example):\n\n```bash\nopenssl dgst -sha256 -verify signing_key.pem -signature bundle_metadata.json.sig bundle_metadata.json\n```\n\n## Bundles\n\n### Apple\n\nTo generate the Apple bundle, certificates are downloaded directly from [Apple's OSS GitHub Repo](https://github.com/apple-oss-distributions/security_certificates).\n\n### Google\n\nThe Google bundle is based on the [Chromium source code](https://github.com/chromium/chromium/blob/main/net/data/ssl/chrome_root_store/root_store.certs)\n, which contains certificates participating in the [Chrome Root Program](https://g.co/chrome/root-policy).\n\n### Microsoft\n\nThe Microsoft bundle is based on [Microsoft Trusted Root program](https://learn.microsoft.com/en-us/security/trusted-root/participants-list)\n, utilizing [Windows Subject Trust Lists](https://github.com/tls-inspector/authrootstl) downloaded directly from Windows\nUpdate. Only certificates that are trusted, valid for Server Authentication, and not expired are included.\n\n### Mozilla\n\nTo generate the Mozilla bundle, a prepared list of certificates extracted from Firefox is downloaded from the [curl website](https://curl.se/docs/caextract.html).\n\n### TLS Inspector\n\nThe TLS Inspector bundle is a collection of certificate that are trusted equally by all other vendors. For example, a\ncertificate that Microsoft trusts that Google does not is not included in this bundle.\n\n## API Usage\n\nTLS Inspector provides an API to pragmatically query for and download certificate bundles.\n\nThe base of the API is `https://api.tlsinspector.com`.\n\nAll requests must have a valid and somewhat identifiable user-agent header. We reject requests that\nuse a default user agent header such as `curl/...` or `python-requests/...`.\n\nThis API is provided \"as-is\" and with no guarantees of availability or up-time. We reserve the right\nto revoke your access to the API at our discretion.\n\n### Get Latest Bundle Name\n\n**Request:**\n\n```\nGET /rootca/latest\n```\n\n**Response:**\n\n\u003cdetails\u003e\u003csummary\u003eExpand sample response\u003c/summary\u003e\n\n```json\n{\"version\":\"bundle_20241001\"}\n```\n\n\u003c/details\u003e\n\n### Get Bundle Metadata\n\n**Request:**\n\n```\nGET /rootca/metadata/\u003cversion\u003e\n```\n\nWhere `\u003cversion\u003e` is either \"latest\" or a specific bundle version name\n\n**Response:**\n\n\u003cdetails\u003e\u003csummary\u003eExpand sample response\u003c/summary\u003e\n\n```json\n{\n  \"mozilla\": {\n    \"date\": \"2024-09-24T03:12:04Z\",\n    \"key\": \"189d3cf6d103185fba06d76c1af915263c6d42225481a1759e853b33ac857540\",\n    \"bundles\": {\n      \"mozilla_ca_bundle.p7b\": {\n        \"sha1\": \"26D68DA317362C95E9247DA2682881EA0A5DB9AA\",\n        \"sha256\": \"860241DE2497A9C1FBAB89FC7DA4E72057CA6BB1808CF97F0E40ED874854FC84\",\n        \"sha512\": \"33DAE15848361022B53F8F45909BF344A0069EF6ECB087D7279F95A8D5FA1A4A5C786595BBA1CA2AFA83A17FA35D73AD87BC39B121CEC91F279924211CD29A3C\"\n      },\n      \"mozilla_ca_bundle.pem\": {\n        \"sha1\": \"CEC93AB707461E9C603B5FD3E4A31A389839D9C1\",\n        \"sha256\": \"990FF5205FC2D63D8ED8878D75B3A6D2038B339593E1AC945114005423B7BB0B\",\n        \"sha512\": \"E449EE310D9BD4220BDF21AC2875877A0B083DC5C367AFB64B47B0F79F7062D091A87E81D59E43831BF3402023E431DA1A26505581DCC5AD47251EF4EEED75A6\"\n      }\n    },\n    \"num_certs\": 151\n  },\n  \"microsoft\": {\n    \"date\": \"2024-05-29T18:29:14Z\",\n    \"key\": \"8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8\",\n    \"bundles\": {\n      \"microsoft_ca_bundle.p7b\": {\n        \"sha1\": \"B0A5B9863BA7B03D1CF4CB1AA08AF1665D4F6083\",\n        \"sha256\": \"5F898CF2ECF8A76E118579B7FC6EDB74EDD900A3714BC6D5D94834183D882AD2\",\n        \"sha512\": \"A74B465A60EB333F404523667E6D969CFDD9741A4006B7448020C224CDF4570A7E95F7B005E04DFBF261A27E4FE8EB0D1309BB9B5E318284E8AA04D2AB0FD752\"\n      },\n      \"microsoft_ca_bundle.pem\": {\n        \"sha1\": \"1B6F6F2398FAB9E8282E936A73CDD7CDC7C84E48\",\n        \"sha256\": \"00514CA800495D3BA43A057A8E3E524445B3E6C77DAF98931EB4D6CA6DCF0A80\",\n        \"sha512\": \"3B4B461B6B566A8B25D0C185AF444CCBD62BA7B9E6FBE55095704BA3E16C6D7323C8BFA4FFD56FBE94FC2657D489CA66ECD4CE1006654D0A57E67E7A90E8B788\"\n      }\n    },\n    \"num_certs\": 246\n  },\n  \"google\": {\n    \"date\": \"2024-05-30T15:58:06Z\",\n    \"key\": \"cb239fbd1505c9af5ca8ee8b1338ddafebb313a7\",\n    \"bundles\": {\n      \"google_ca_bundle.p7b\": {\n        \"sha1\": \"9DA3354D3AD8CB49F4EB4FD464D0D69D13E876A7\",\n        \"sha256\": \"658229855FB52E6C8F8E08E672406720C8ED59B27B1A24F85EFFCA7B65179295\",\n        \"sha512\": \"A951EAF67122CE7C98DCBCA6797B0200BD4234C3EDAD92B5CD40FD940CB5A4C12E61E639C5FCE0A0BA6BA4326D16F8321C3956E089F0426E4445771C92AE3A7A\"\n      },\n      \"google_ca_bundle.pem\": {\n        \"sha1\": \"DC384A087559C50EF2A4A5D6D4698C6103F5AD8B\",\n        \"sha256\": \"7C53781E3CBE3A92BC54446430F3640735787A1ACB8CE9E69B6722AB081ACFB9\",\n        \"sha512\": \"EA58F9C818B616569B699FE259F801A7B07D5EF08CE4D08E7B867E0321C8DF3D75054FBE54C92ADE4BA6AE81AF3322B137A30C6CE5FB2A188F665D55D22A77F4\"\n      }\n    },\n    \"num_certs\": 135\n  },\n  \"apple\": {\n    \"date\": \"2024-09-24T17:44:43Z\",\n    \"key\": \"9c061d71693f4b9ccdddea087ff0428755604bf0\",\n    \"bundles\": {\n      \"apple_ca_bundle.p7b\": {\n        \"sha1\": \"F14804A4FBB644321C5AAEA8F4C445F540A0A4CC\",\n        \"sha256\": \"9991AF551E8CE48F849630DC934A4F431CFE61059B766C14773D9480D40EDC91\",\n        \"sha512\": \"8398D32323BC2A318D0FBEC7E97833B34C119B54F24F515608BC8C4E6631A8A34922488FB5334C88EA1C5DAFFD61D7CFC5F7EC40A2B1FE884DF6F519FC80A61B\"\n      },\n      \"apple_ca_bundle.pem\": {\n        \"sha1\": \"7614DD1CBD006D9DBE1F670924A18F0452995D3D\",\n        \"sha256\": \"0266922E2A7FCA20F0493B23F45BF1202391E51E401AEC6CB45DC57ECE4CE976\",\n        \"sha512\": \"4135240B826A00BB1202529D75F97B0938B16BAE38E58D12C88BC336BE4745D8BB2169E34D63E4EDB46244A218E0C7E82ACB4AACD83B65FF3B507C1B0FFB9BF9\"\n      }\n    },\n    \"num_certs\": 154\n  },\n  \"tls_inspector\": {\n    \"date\": \"2024-10-01T18:39:11Z\",\n    \"key\": \"379D3D92AD598A20E26C087C34C243E87C6215B25A65391ABFA92826D0E4A6EC\",\n    \"bundles\": {\n      \"tlsinspector_ca_bundle.p7b\": {\n        \"sha1\": \"781DED01A80C85DB200B18AE08CA87F74F0ED3CD\",\n        \"sha256\": \"9F344E6DA29BA6CF6B83A77386D3B59A8157D1C03ACB9C78A8F3569F28AD7EE4\",\n        \"sha512\": \"44FC44CFF159D0A0B63971A18B93101F029146C443351CA9D60B881B8719FCECB107F4D1FB52D6C33487EB7BB3AAF804B45725D9C376C926DA6E6E26974CD48F\"\n      },\n      \"tlsinspector_ca_bundle.pem\": {\n        \"sha1\": \"0BF93005601DF9CAE9CFE51B38C0A585263E1B59\",\n        \"sha256\": \"7626B4B7C72ABEBD19C975D862A04A8F3E7673E4EACA6383CF751F1362665A06\",\n        \"sha512\": \"0334DCB39D42770CAE293845EE37E05FAD11DBB324D9A28EA5E63939D6E4CCA725FC61F0EDF15E2AD6D6862DE04CDE7D20034FDE2D612F7120D95CF737D5BD3C\"\n      }\n    },\n    \"num_certs\": 117\n  }\n}\n```\n\n\u003c/details\u003e\n\n### Get Bundle Asset\n\n**Request:**\n\n```\nGET /rootca/asset/\u003cversion\u003e/\u003cfile name\u003e\n```\n\nWhere `\u003cversion\u003e` is either \"latest\" or a specific bundle version name, and `\u003cfile name\u003e` is the name of an assets file. Only files that are attached to [releases](https://github.com/tls-inspector/rootca/releases/latest) can be downloaded.\n\n**Response:**\n\nThe response to this request will be the binary contest of the asset file. Visiting this URL in a browser will trigger a download.\n\n## License\n\nThe software that compose this repository, **excluding** the certificate stores and certificate data, are released under the\nterms of the Mozilla Public License 2.0.\n\n*Apple*, *Google*, *Chromium*, *Chrome*, *Microsoft*, *Windows*, *Mozilla*, and *Firefox* are all registered trademarks\nbelonging to their respective owners. This package is not affiliated with or endorsed by any third party, including but\nnot limited to the aforementioned entities.\n\nRoot certificates, such as those included in this software, are typically considered public data and are not encumbered\nby licenses. However, this authors of this software are not liable for any violations you may make by using this software.\n\nThe export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating\ntechnical details about cryptography software is illegal in some parts of the world. You are responsible for knowing and\nadhering to the laws and requirements of your locality. The authors of this software are not liable for any violations\nyou make by using this software.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftls-inspector%2Frootca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftls-inspector%2Frootca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftls-inspector%2Frootca/lists"}