As we just covered, a root certificate is a special kind of X.509 digital certificate that can be used to issue other certificates. For starters, whereas end user or leaf SSL certificates (and generally any kind of publicly trusted PKI certificate) have a lifespan of two years – tops – root certificates live much, much longer. VeriSign Root Certificates Note: All root certificates are self-signed. 3rd Generation (G3) roots are 2048-bit keys. VeriSign Class 1 Primary CA Country = US Organization = VeriSign, Inc. Organizational Unit = Class 1 Public Primary Certification Authority Serial Number: 02 a4 00 00 01 Operational Period: Mon Jan 29, 1996 to Fri Dec 31, 1999. Download the Verisign Root Package ‘roots.zip’, extract the folder 'VeriSign Root CertificatesGeneration 5 (G5) PCA' In this folder is “VeriSign Class 3 Public Primary Certification Authority - G5.cer”, copy the file via internal network or usb stick to disconnected PCs and then right click and select “install certificate”.

“The management console is unavailable because a root certificate is missing. Go to VeriSign and download the certificate VeriSign class 3 Primary CA – G5” Solution. In the event you are unable to download the trusted Verisign certificate, see Exporting the Root CA Certificate From the Java Keystore for alternate instructions. Import the Root CA certificate from the temporary file to the package keystore.

A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites. Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec. The discussion resulted in the adoption of a consensus proposal to gradually remove trust in all Symantec TLS/SSL certificates from Firefox. The proposal includes a number of phases designed to minimize the impact of the change to Firefox users:

• January 2018 (Firefox 58): Notices in the Browser Console warn about Symantec certificates issued before 2016-06-01, to encourage site owners to replace their TLS certificates.
• May 2018 (Firefox 60): Websites will show an untrusted connection error if they use a TLS certificate issued before 2016-06-01 that chains up to a Symantec root certificate.
• October 2018 (Firefox 63): Distrust of Symantec root certificates for website server TLS authentication.

After the consensus proposal was adopted, the Symantec CA was acquired by DigiCert; however, that fact has not changed Mozilla’s commitment to implement the proposal.

Firefox 60 is expected to enter Beta on March 13th carrying with it the removal of trust for Symantec certificates issued prior to June 1st, 2016, with the exception of certificates issued by a few subordinate CAs that are controlled by Apple and Google. This change affects all Symantec brands including GeoTrust, RapidSSL, Thawte, and VeriSign. The change is already in effect in Firefox Nightly.

Mozilla telemetry currently shows that a significant number of sites – roughly 1% of the top one million – are still using TLS certificates that are no longer trusted in Firefox 60. While the number of affected sites has been declining steadily, we do not expect every website to be updated prior to the Beta release of Firefox 60. We strongly encourage operators of affected sites to take immediate action to replace these certificates.

If you attempt to visit a site that is using a TLS certificate that is no longer trusted in Firefox 60, you will encounter the following error:

Download Verisign Root Certificates Program

Clicking on the “Advanced” button will allow you to bypass the error and reach the site:

Download Verisign Root Certificates

These changes are expected to be included in the final version of Firefox 60 that is planned to be release on May 9th, 2018.

Download Verisign Root Certificates Online

In Firefox 63, trust will be removed for all Symantec TLS certificates regardless of the date issued (with the exception of certificates issued by Apple and Google subordinate CAs as described above).

Download Verisign Geotrust And Thawte Primary Pca Root Certificates

Wayne Thayer
Kathleen Wilson