
The CA-Certificates package is based on the list provided
by the Mozilla Foundation.

This version of the package contains the following adjustments:

(a)
The following root CA certificate is included in Mozilla's list:
  Subject/Issuer: "E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA"
  Serial Number: 1 (0x1)
  Signature Algorithm: PKCS #1 MD5 With RSA Encryption
  Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A

For compatibility with signed applets and OpenJDK, this package includes
an additional version of the root CA certificate, which contains the
same issuer/subject names and the same public key, but which contains a
different signature algorithm, serial number and validity dates:
  Serial Number:36:12:22:96:c5:e3:38:a5:20:a1:d2:5f:4c:d7:09:54
  Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
  Fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66

Thawte/Symantec have confirmed that the certificate is authentic at:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1100532#c9

(b)
Mozilla has removed several CA certificates that use 1024 bit keys.

For compatibility reasons, this package keeps several of those removed
CA certificates still trusted by default.

Please refer to the ca-legacy(8) man page and the ca-legacy utility
to learn how to disable them, if desired.