| ACTION 3: Include EKUs in All End-entity Certificates Beginning on 1-July, 2020, section 5.2 of Mozilla's Root Store Policy states that new end-entity certificates MUST include an EKU extension containing KeyPurposeId(s) describing the intended usage(s) of the certificate, and the EKU extension MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. |
|---|
| ACTION 3 COMMENTS |
| ACTION 3 DATE |
| CA Owner | Response | Response | Response |
|---|---|---|---|
| AC Camerfirma, S.A. | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Actalis | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Amazon Trust Services | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Asseco Data Systems S.A. (previously Unizeto Certum) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Atos | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Autoridad de Certificacion Firmaprofesional | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | 2017 Nov 21 | |
| Buypass | All end-entity certificates that we issue or have issued after [date] are within the scope of Mozilla’s policy currently comply with this requirement (select date below) | We have issued two (non TLS) certificates without EKU after 1 February 2019 on a customer's request. | 2019 Feb 1 |
| Certisign Certificadora Digital | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| China Financial Certification Authority (CFCA) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Chunghwa Telecom | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| ComSign | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| Cybertrust Japan / JCSI | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| D-TRUST | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| DarkMatter LLC | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | Already complies | |
| Deutsche Telekom Security GmbH | All end-entity certificates that we issue or have issued after [date] are within the scope of Mozilla’s policy currently comply with this requirement (select date below) | 2020 Jan 31 | |
| Dhimyotis / Certigna | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| DigiCert | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | External Subordinate CA end-entity certificates (issued by their CAs)will comply by 1-July-2020 | |
| Disig, a.s. | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| E-Tugra | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Entrust | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| GlobalSign nv-sa | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| GoDaddy | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Google Trust Services LLC | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Government of Hong Kong (SAR), Hongkong Post, Certizen | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Government of Taiwan, Government Root Certification Authority (GRCA) | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| Government of The Netherlands, PKIoverheid (Logius) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| HARICA | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| IdenTrust Services, LLC | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| Internet Security Research Group | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Izenpe S.A. | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Krajowa Izba Rozliczeniowa S.A. (KIR) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| LuxTrust | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Microsec Ltd. | All end-entity certificates that we issue or have issued after [date] are within the scope of Mozilla’s policy currently comply with this requirement (select date below) | 2019 Dec 12 | |
| Microsoft Corporation | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| NETLOCK Kft. | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| OISTE | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| QuoVadis | All end-entity certificates that we issue or have issued after [date] are within the scope of Mozilla’s policy currently comply with this requirement (select date below) | QuoVadis has no end entity certificates with anyExtendedKeyUsage. A small number of end entity certificates remain with no EKU. These will expire or be revoked well in advance of July 1, 2020. | 2018 Jun 28 |
| SECOM Trust Systems CO., LTD. | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| SK ID Solutions AS | Other (please describe below) | Please note that SK has terminated issuance of TLS Server Certificates as of 1. September 2017 and therefore we are unable to meet this requirement. | |
| SSL.com | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Sectigo | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| SecureTrust | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Shanghai Electronic Certification Authority Co., Ltd. | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| SwissSign AG | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | ||
| Swisscom (Switzerland) Ltd | Other (please describe below) | Swisscom Certificates are not in the root store any more. Nevertheless we received the "Mozilla CA Communication: Action requested by January 31, 2020" mail from Wayne. Was this an error or is there something additional Swisscom needs to do in order not to receive the root store communications? | |
| Taiwan-CA Inc. (TWCA) | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Telia Company | All end-entity certificates that we issue on or after July 1, 2020 and are within the scope of Mozilla’s policy will comply with this requirement | We did full scan to all our publicly trusted Client certificates. We found one seldom used sub-process that still was generating empty EKUs to our client certificates. That will be fixed before June. | 2020 Jun 30 |
| TrustCor Systems | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| Trustis | Other (please describe below) | End-entity certificate issuance under the current service has been discontinued therefore no new certificates will be issued after 1st July, 2020. Please Note: No certificate has been issued since 2nd January 2018 and no further Certificates will be issued until the service is terminated following the expiration of the last certificate (2nd January 2021). | |
| Web.com | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| certSIGN | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement | ||
| eMudhra Technologies Limited | All unexpired, non-revoked end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement |