March 2016 CA Communication

ACTION #1a: As previously communicated, CAs should no longer be issuing SHA-1 certificates chaining up to root certificates included in Mozilla's CA Certificate Program. This includes TLS/SSL certificates, as well as any intermediate certificates that they chain up to. Check your systems and those of your subordinate CAs to ensure that SHA-1 based TLS/SSL certificates chaining up to your included root certificates are no longer being issued, and that any such certificates issued after 01/01/2016 have been revoked. Please enter the last date that a SHA-1 based TLS/SSL (end-entity) certificate was issued that chained up to your root certificates included in Mozilla's program (use format MM/DD/YYYY). If your included root certificates do not have the Websites trust bit enabled or you have never issued SHA-1 TLS/SSL certificates chaining up to included root certs, then please enter 04/01/2016.
ACTION #1a TEXT INPUT: Use this section if you need to specify different dates according to different root certificates included in Mozilla's CA Certificate Program. Or if there is additional clarification you would like to provide.

CA Owner Response Response
AC Camerfirma, S.A. 2016 Feb 15
Actalis 2015 Jul 7
Amazon Trust Services 2016 Apr 1
Asseco Data Systems S.A. (previously Unizeto Certum) 2015 Dec 30
Atos 2016 Apr 1
Autoridad de Certificacion Firmaprofesional 2015 May 19
Buypass 2015 Dec 23
Certicámara 2016 Feb 29 Certicamara ROOT CA and subsequent SUB CA's does not issue SSL/TLS certificate. However as of February 29 we stopped issuing all SHA1 certificates, and a new ROOT CA with SHA2 will be issued after May 6 2016.
Certinomis / Docapost 2015 Jan 27 PKI SHA2 : 04/01/2016 (never issued SHA1) PKI SHA1 : 01/27/2015 we have stopped this CA on 06/18/2015.
China Financial Certification Authority (CFCA) 2016 Apr 1 We have NO SHA-1 root included in Mozilla. That is : we never issue SHA-1 certificate with root included in Mozilla
China Internet Network Information Center (CNNIC) 2015 Dec 4
Chunghwa Telecom 2015 Dec 31
ComSign 2016 Apr 1
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) 2015 Sep 30
Cybertrust Japan / JCSI 2016 Apr 1 We have never issued SHA-1 TLS/SSL certificates yet after the root was transferred from JCSI Inc. to us at July 2014.
D-TRUST 2016 Apr 1
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) 2016 Apr 1
Dhimyotis / Certigna 2016 Apr 1
DigiCert 2016 Mar 30 Test certificate issued by DnB NOR ASA PKI Class G, which chains to the Baltimore Cybertrust Root through the Eurida Primary CA.
Disig, a.s. 2015 Jul 30
DocuSign (OpenTrust/Keynectis) 2015 Dec 31
E-Tugra 2014 Oct 15
EDICOM 2015 Aug 31
Entrust 2015 Dec 31
GlobalSign 2015 Dec 31
GoDaddy 2015 Dec 31
Government of France (ANSSI, DCSSI) 2015 Dec 31
Government of Hong Kong (SAR), Hongkong Post, Certizen 2015 Dec 31
Government of Japan, Ministry of Internal Affairs and Communications 2013 Oct 31
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) 2014 Dec 1
Government of Taiwan, Government Root Certification Authority (GRCA) 2013 Mar 1
Government of The Netherlands, PKIoverheid (Logius) 2016 Apr 1 Under the currently included roots PKIoverheid has never issued SHA-1 certicates. In a previously included root (“Staat der Nederlanden Root CA”) this was the case, but this root has been removed from the Mozilla CA Certificate Program (expired in December 2015).
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) 2015 Dec 17
HARICA 2015 Apr 1
IdenTrust Services, LLC 2015 Dec 14
Izenpe S.A. 2014 Mar 5
Krajowa Izba Rozliczeniowa S.A. (KIR) 2016 Apr 1
Microsec Ltd. 2015 Oct 7 This certificate expired on the 11/30/2015
NetLock Ltd. 2015 Nov 14
OISTE 2015 Jul 31
PROCERT 2010 Dec 31
QuoVadis 2016 Jan 5 Root CA had a single SHA-1 cert with server auth issued on above date accommodating a customer transition issue. Non internet-facing. All other SHA-1 SSL ceased in 2015.
RSA the Security Division of EMC 2016 Jan 29 All SHA-1 certificates issued after 12/31/15 have been revoked.
SECOM Trust Systems CO., LTD. 2015 Dec 30
SK ID Solutions AS 2015 Jan 7
Sectigo 2015 Dec 31
SecureTrust 2015 Dec 29
Start Commercial (StartCom) Ltd. 2015 Dec 30
SwissSign AG 2014 Dec 18 12/18/2014 --> Issuing CA is Server Gold G2 --> Root CA - SwissSign Gold G2 (OV) 03/11/2014 --> Issuing CA is Server Silver G2 --> Root is SwissSign Silver G2 (DV)
Swisscom (Switzerland) Ltd 2014 Nov 27
Symantec 2016 Feb 29 VeriSign Class 3 Public Primary Certification Authority - G5: 02/29/2016 All other roots: on or before 12/31/2015
T-Systems International GmbH (Deutsche Telekom) 2016 Jan 15 revoked: 02/02/2016
Taiwan-CA Inc. (TWCA) 2015 Dec 30
Telia Company (formerly TeliaSonera) 2015 Oct 20
Trend Micro 2015 Dec 31
Trustis 2016 Mar 12
TurkTrust 2014 Oct 1
Visa 2015 Dec 2 Visa Information Delivery Root CA - Last SHA-1 End-Entity certificate issued on 12/02/2015. Visa eCommerce Root CA - Last SHA-1 End-Entity certificate issued on 04/06/2016. All SHA-1 certificates will either expire or be revoked before 12/31/2016. Given the business impact we have a phased revocation process we executing on.
Web.com 2014 Oct 28
Wells Fargo Bank N.A. 2015 Dec 31
WoSign CA Limited 2015 Dec 30
certSIGN 2015 Jul 17