CNNIC Root CA: Don’t jump on Mozilla, others trust it too

Test web site(uses a certificate that chains to CNNIC Root, the intermediate CA is missing the CRL link, so some browsers will not show the padlock or might complain, but is useful for checking to see if the CNNIC Root certificate is trusted by your browser):
https://www.enum.cn/en/

The issue that has sparked controversy, Firefox 3.6 on Windows 7 bellow:

cnnic_firefox3.6_on_win7

But is Mozilla alone in here ?

Microsoft
CNNIC Root certificate is trusted on Windows, this means that IE 6/7/8(depending on the OS), any browsers(Chrome, Safari on Windows) that depend on the Windows Certificate Store, will trust certificates signed by this CA.
Also, it may be not just the browsers trusting it.

Download the list of Windows Root CAs from here(on that page there is a pdf link, CNNIC ones can be found within the CERTIFICATES IN DISTRIBUTION FROM ALL MEMBER CAs section on that pdf):
http://support.microsoft.com/kb/931125

More info here:
http://technet.microsoft.com/en-us/library/cc751157.aspx

  • Windows XP SP3, CNNIC Root certificate is trusted, bellow seen in the Computer Certificates Store / Trusted Root Certification Authorities:

cnnic_winxpsp3

  • Windows Vista SP2, CNNIC Root certificate is trusted, bellow seen in the User Certificates Store / Trusted Root Certification Authorities:

cnnic_vistasp2

  • Windows 7, CNNIC Root certificate is trusted, bellow seen in the User Certificates Store / Trusted Root Certification Authorities:

cnnic_win7

Apple
CNNIC Root certificate is trusted on Mac OS X, so Safari and Chrome browsers on Mac OS X will trust certificates signed by this CA.
http://www.apple.com/certificateauthority/ca_program.html

  • Mac OS X 10.5.8, CNNIC Root certificate is trusted, bellow seen in the System Roots:

cnnic_macosx10.5.8

  • Mac OS X 10.6.2, CNNIC Root certificate is trusted, bellow seen in the System Roots:

cnnic_macosx10.6.2

Opera
CNNIC Root certificate is trusted:
http://my.opera.com/rootstore/blog/2009/09/30/secom-cnnic-buypass-root-izenpe-ev-enabled-and-more

cnnic_opera

Comments are closed