Mission Accomplished? HTTPS Security after DigiNotar Johanna Amann* ICSI / LBL / Corelight Oliver Gasser* Technical University of Munich Quirin Scheitle* Technical University of Munich Lexi Brent The University of Sydney Georg Carle Technical University of Munich Ralph Holz The University of Sydney

* Joint First Authorship

Internet Measurement Conference (IMC) 2017 TLS/HTTPS Security Extensions

• Certificate Transparency

• HSTS (HTTP Strict Transport Security)

• HPKP (HTTP Public Key Pinning)

• SCSV (TLS Fallback Signaling Cipher Suite Value)

• CAA (Certificate Authority Authorization)

• DANE-TLSA (DNS Based Authentication of Named Entities) Methodology

• Active & passive scans

• Shared pipeline where possible

• Active measurements from 2 continents

• Largest Domain-based TLS scan so far

• More than 192 Million domains

• Passive measurements on 3 continents

• More than 2.4 Billion observed TLS connections Certificate Transparency

CA Issues Certificates

Provides publicly auditable, append-only Log of certificates CT Log Also provides proof of inclusion

Browser Verifies Proof of Inclusion Certificate Transparency

CT Log CA

Webserver Browser Certificate Transparency

CT Log CA

Certificate

Webserver Browser Certificate Transparency

CT Log CA

Certificate Certificate

Webserver Browser Certificate Transparency

CT Log CA

SCT Certificate Certificate

Webserver Browser Certificate Transparency

CT Log CA

SCT Certificate Certificate

Webserver Browser Certificate, SCT in TLS Ext. Certificate Transparency

CT Log CA

Webserver Browser Certificate Transparency

Precertificate CT Log CA

Webserver Browser Certificate Transparency

Precertificate CT Log CA SCT

Webserver Browser Certificate Transparency

Precertificate CT Log CA SCT

Certificate (with Precertificate SCT)

Webserver Browser Certificate Transparency

Precertificate CT Log CA SCT

Certificate (with Precertificate SCT)

Webserver Browser Certificate. Transform, Validate Certificate Transparency

CT Log CA

Webserver Browser Certificate Transparency

CT Log CA

Certificate

Webserver Browser Certificate Transparency Certificate CT Log CA

Certificate

Webserver Browser Certificate Transparency Certificate CT Log CA SCT

Certificate

Webserver Browser Certificate Transparency Certificate CT Log CA SCT

Certificate

OCSP, SCT in OCSP Reply Webserver Browser Certificate Transparency Certificate CT Log CA SCT

Certificate

OCSP, SCT in OCSP Reply Webserver Browser Certificate SCT in Stapled OCSP Reply SCT Statistics - Active Sydney v4 Munich v4 Munich v6

Domains we could connect to 55.7M 58.0M 5.1M

Domains with SCT 6.8M 6.8M 357K

… via X509 6.7M 6.8M 344K

… via TLS Ext. 27.6K 27.2K 12.9K

… via OCSP 180 188 3

Certificates (Total) 10.62M 9.66M 549.98K

Certificates with SCT Ext. 799.9K 834.5K 193.9K SCT Statistics - Passive

California Munich Sydney Time 4/4-5/2 5/12-5/16 5/12-5/16 Conns 2.6B 287M 196M Conns with SCT 779M 73M 58M … in Cert 520M 58M 44M … in TLS 248.1M 14.4M 13.6M … in OCSP 155.8K 37.6K 31.1K # v4 IPs 737K 344K 226K # SCT v4 IPs 222K 102K 66K

105 Certificates, 91 Let’s Encrypt

Log Operators

Active Passive

Symantec log (81.26%) Symantec log (62.78%)

Google ’Pilot’ log (79.9%) ’Rocketeer’ log (58.6%)

Google ’Rocketeer’ log (31.72%) Google ’Pilot’ log (58.48%)

DigiCert Log Server (26.96%) Google ’Icarus’ log (14.37%)

Google ’Aviator’ log (25.67%) Google ’Aviator’ log (9.39%)

Google ’Skydiver’ log (8.32%) Vena log (7.47%)

Symantec VEGA log (3.98%) WoSign ctlog (4.64%)

StartCom CT log (1.49%) DigiCert Log Server (4.07%)

WoSign ctlog (0.67%) Google ’Skydiver’ log (1.7%) Log Operators

HSTS, HPKP

• HSTS: ~3.5% of domains

• 0.2% send incorrect headers (misspellings, wrong attributes, …)

• HPKP: ~0.02% of domains (6,181)

• 41 invalid SCSV

Automatically deployed when servers/libraries update

> 96% deployment Deployment

Community Contributions

• PCAPs of active scans

• Active scan results, CT database dumps

• Analysis Scripts (primarily Jupyter notebooks)

• Datasets: ://mediatum.ub.tum.de/1377982

• Software:

• goscanner (HTTPS scanner): https://github.com/tumi8/goscanner

• extended Bro TLS support (in master): https://bro.org The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

Quirin Scheitle (TUM), Oliver Gasser (TUM), Theodor Nolte (HAW Hamburg), Johanna Amann (ICSI/Corelight/LBNL), Lexi Brent (The University of Sydney), Georg Carle (TUM), Ralph Holz (The University of Sydney), Thomas C. Schmidt (HAW Hamburg), Matthias Wählisch (FU Berlin)

Internet Measurement Conference (IMC) 2018 CT Honeypot

DNS Queries after 73s to 3m Requests from 82 ASes Phishing Domains

e.g. 63k Domains trying to mimic Apple ICSI SSL Notary The Bro Platform Open Source BSD License

Traffic Intrusion Vulnerabilit. Traffic Compliance File Analysis Measure- Detection Mgmt Control Monitoring ment Apps

Programming Language Standard Library

Platform Packet Processing

Network Tap

The Bro Monitoring Platform 25 Bro History

Host Context Time Machine Academic Enterprise Traffic Summary Stats Publications HILTI DPI Concurrency Tor SSL PLC Modeling Certificate TRW OCSP Speed Android Root Certs Transparency, State Mgmt. Certificate Ecosystem Heart bleed Long-term SSL Study Independ. State Bro Cluster TLS Electronic Comm. Shunt Spicy

NetControl HTTPS Security Parallel Prototype Input Framework Anonymizer VAST Active Mapping BinPAC Backdoors Stepping Context Signat. DPD SSL Trust USENIX Paper Stones 2nd Path Autotuning SSL Errors

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

v2.4 Broker, Plugins, v2.2 DTLS/KRB OCSP, SCT, File Analysis Vern writes v2.0 ERSPAN v0.7a90 v1.5 Summary Stats 1st line of v0.2 v0.6 v0.8aX/0.9aX User Experience v2.5, code 1st CHANGES Profiling SSL/SMB BroControl SMB, NetControl, RegExps State Mgmt v1.1/v1.2 entry Login analysis STABLE releases when Stmt VNC, StartTLS v2.6 BroLite Broker default, Config Resource tuning v2.1 v2.3 Framew., NFS updates Broccoli Bro SDCI IPv6 Performance OpenSSL 1.1 DPD Input Framew. SNMP, Radius, SSL++

v0.4 v0.7a175/0.8aX v1.4 v1.0 LBNL starts using Bro HTTP analysis Signatures DHCP/BitTorrent BinPAC Bro Center operationally Scan detector SMTP HTTP entities IRC/RPC analyzers IP fragments IPv6 support NetFlow 64-bit support Linux support User manual Bro Lite Deprecated Sane version numbers

v0.7a48 0.8a37 v1.3 Consistent CHANGES Communication Ctor expressions Persistence GeoIP Namespaces Conn Compressor Log Rotation SSL

Client Server Client hello Server hello Certificate (Server Key Exchg) Client Key Exchange Change Cipher Spec Finished Change Cipher Spec Finished

Encrypted application data SSL

Client Server client_hello Client hello (extensions) server_hello Server hello (extensions) Certificate x509_* events (Server Key Exchg) ssl_handshake_message ssl_handshake_message Client Key Exchange ssl_change_cipher_spec Change Cipher Spec ssl_encrypted_data Finished Change Cipher Spec ssl_change_cipher_spec Finished ssl_encrypted_data

Encrypted application data ssl_encrypted_data Bro SSL Events - v2.6

client_hello ssl_stapled_ocsp ssl_change_cipher_spec server_hello ssl_encrypted_data x509_extension ssl_session_ticket_handshake ssl_dh_server_params x509_ext_basic_constraints

ssl_established ssl_change_cipher_spec x509_ext_subject_alternative_name x509_certificate ssl_handshake_message ssl_extension_elliptic_curves

ssl_extension ssl_encrypted_data ssl_extension_application_layer_protocol_negotiation ssl_alert ssl_extension_ex_point_formats ssl_extension_server_name

ssl_server_curve ssl_extension_signature_algorithm x509_ocsp_ext_signed_certificate_timestamp ssl_extension_supported_versions ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp

ocsp_request ocsp_request_certificate ocsp_response_status

ocsp_response_bytes ocsp_response_certificate ocsp_extension ICSI Notary

Outgoing SSL Sessions Internal Internet Network Bro Network Monitor Data Provider Collector Storage & Evaluation Notary - Collected features

Available ciphers Timestamp Version

Analyzer Error Packet loss Hash(client session ID)

Client & Server TLS extensions Selected cipher Hash(client IP, server IP)

Content length Server certificates Hash(server session ID)

Connection history Server IP Ticket lifetime hint

Duration Client EC curve

Client EC point formats DH parameter size Number Client Certs

Send & received bytes Client & Server ALPN TLS Alerts Notary - Connections Notary - Certificates

45,000,000

40,000,000

35,000,000

30,000,000

25,000,000

20,000,000

15,000,000

Number of certificates of Number 10,000,000

5,000,000

0

01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 − − − − − − − − − − − − − − − − − − − − − − − − − − − − − 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 − − − − − − − − − − − − − − − − − − − − − − − − − − − − −

2012 2012 2012 2012 2013 2013 2013 2013 2014 2014 2014 2014 2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2018 2018 2018 2019 Time Coming of Age: A Longitudinal Study of TLS Deployment Platon Kotzias IMDEA Software Institute Abbas Razaghpanah Stony Brook University Johanna Amann ICSI Kenneth G. Patterson Royal Holloway University of Londo Narseo Vallina-Rodriguez ICSI/IMDEA Networks Institute Juan Caballero IMDEA Software Institute

Internet Measurement Conference (IMC) 2018 Major SSL attacks in the last years

BEAST Freak MITM attack against CBC cipher suites Poodle RC4 attacks Freak allows a MITM attacker to downgrade in TLS 1.0 and earlier. The attack Poodle is a cryptographic exploits taking Attacks exploit biases in the output of the TLS connections to export-grade exploits the reliance on predictable IVs. RC4 stream cipher to recover plain-texts that advantage of the willingness of clients to fall . It is possible when a server Mitigated in TLS 1.1 and client-side; are sent repeatedly, e.g. cookies or back to SSLv3 and the CBC mode padding in passwords. SSLv3. supports RSA_EXPORT and the client use of RC4 encouraged. requests an RSA cipher suite. 2011 2012 2013 2014 2015 2016

Sweet 32 Lucky 13 Logjam DES and 3DES are vulnerable to a birthday- Cryptographic timing attack against TLS Allows an MITM attacker to attack bound attack on CBC mode, which makes it implementations using CBC mode. All CBC Heartbleed is an OpenSSL bug allowing connections if the server supports ciphers are potentially vulnerable; best possible for a MITM attacker to recover attackers to obtain sensistive information DHE_EXPORT and the client requests a DHE counter-measure is to switch to AEAD and plaintext from long-duration connections. from process memory via packets that trigger TLS 1.2 which was ill-supported at the time. cipher suite. a buffer over-read. SSL Versions (negotiated)

100 POODLE 90 80 Version RC4 passwords 70 RC4 nomore SSLv3 Snowden Sweet32 60 Lucky13 TLSv10 50 RC4 TLSv11 40 TLSv12 30 20 10

Percent monthly connections monthly Percent 0

01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 − − − − − − − − − − − − − − − − − − − − − − − − − − 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 − − − − − − − − − − − − − − − − − − − − − − − − − −

2012 2012 2012 2012 2013 2013 2013 2013 2014 2014 2014 2014 2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2018 Export/Anon/NULL advertised

40 Export 35 Null 30 25 20 15 10 5

Percent monthly connections Percent 0

01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 − − − − − − − − − − − − − − − − − − − − − − − − − − 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 − − − − − − − − − − − − − − − − − − − − − − − − − −

2012 2012 2012 2012 2013 2013 2013 2013 2014 2014 2014 2014 2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2018 Negotiated RSA vs forward secret

90 80 70 60 Type 50 DHE 40 ECDHE RSA 30 20 10

Percent monthly connections monthly Percent 0

01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 − − − − − − − − − − − − − − − − − − − − − − − − − − 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 07 10 01 04 − − − − − − − − − − − − − − − − − − − − − − − − − −

2012 2012 2012 2012 2013 2013 2013 2013 2014 2014 2014 2014 2015 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2018 Summary

• Deployment status correlates with:

• Configuration effort

• Risk

• Default deployment / settings work best

• Measurements from several sites have very similar results

• One measurement location probably good enough in most cases GoGandi SGCDaddy SSL CA Verizon GlobalC=JP, IssuingO=JapaneseRoot CA Government, Certificate OU=ApplicationCA Authority - G2 Amazon VR IDENT SSL CA 2013 COMODO Domain Validation Legacy Server CA 2 Go Daddy Secure - G2 CFCA OV OCA Trustwave Extended Validation SHA256 CA Starfield Authority - G2 ApplicationCA2 Sub Starfield Secure Certificate Authority - G2 CFCA EV OCA ECCE SAS Public CA v1 CFCA EV ROOT certSIGN Enterprise CA Class 3 DigiCert Trusted Root G4 AusCERT SGC Server CA VR IDENT SSL CA 2015 Amazon RootTrustwave CA 1 Domain Validation SHA256 CA ABB Issuing CA 4 certSIGN Enterprise CA Class 3 G2 Trustwave Extended Validation CA TWCA Global Root CA SGTRUST SGC CERTIFICATION AUTHORITY ECAR TWCA Secure SSL Certification Authority ECCE 001 ACCVCA-120 ZOVAR Server CA G21 VR IDENT EXTERNAL ROOT CARSA 2013 Corporate Server CA v3 DnB NOR ASA PKI Class G DigiCert Trusted Server CA G4 Trustwave Organization Validation SHA256 CA MasterCard Public Root CA Gen 3 Starfield Services Root Certificate Authority - G2 UTN - DATACorp SGC Verizon Global Root CA C=RO, O=certSIGN, OU=certSIGN ROOT CA ACCVRAIZ1 TrustID CA A51 Oracle SSL CA UZI-register Server CA G21

Network Solutions Certificate Authority O=RSA Security Inc, OU=RSA Security 2048 V3 VR IDENT EXTERNAL ROOT CA 2015 ECAR Parlamento 3 ECRaizEstado Secure Business Services CA SwissSign Server Silver CA 2014 - G22 Crazy Domains (DV) Certification Authority DST Root CA X3 IdenTrust Commercial Root CA 1 Network Solutions EV Server CA 2 SecureTrust CA Eurida Primary CA RU-CENTER High Assurance Services CA Digidentity Services CA - G2 Yandex CA IGC/A Telstra RSS Policy CA thawte SHA256 SSL CA

COMODO SSL CACrazy Domains (OV) Certification Authority ABB Intermediate CA 2 TeleSec ServerPass CA 1 Let's Encrypt Authority X1 Vodafone (Secure Networks) Aetna Inc. Certificate Authority Helsana Gruppe Service ICA 01 Justica Let's Encrypt Authority X3 AC Infrastructure Certum Extended Validation CA TBS X509 CA pro hosting Certum Domain Validation CA SHA2 AC Racine thawte DV SSL SHA256 CA PositiveSSL CA 2 COMODO SHA-256 Organization Validation Secure Server CA Swiss Government SSL CA 01 Certum Extended ValidationSymantec CA Class SHA2 3 ECC 256 bit SSL CA TI Trust Technologies GlobalDigiCert CA Baltimore CA-2 G2 UniCredit Subordinate External GeoTrust SSL CA - G3 TBS X509 CA SGC TrustID Server CA A52 CA de Certificados SSL EV Actalis Authentication CA G2 Zorg CSP CA G21 Digidentity Organisatie CA - G2 Trusted Secure Certificate Authority DigiCert Global Root G2 TeleSec ServerPass Class 2 CA C=TW, O=Chunghwa Telecom Co.,AC Ltd., Racine OU=Public - Secteur Certification public developpement Authority durable InnoSSL TrustSign DV Certification Authority RSA Corporate CA v2 Getronics CSP Organisatie CA - G2 Volusion Vodafone (Secure Sites) Verizon Public SureServer CA G14-SHA2 Verizon Akamai SureServerSiemens CA Issuing G14-SHA1 CA Class Internet ServerSTRATO 2013 SSL - G4 USERTrust High-Assurance Secure Server CA SSL.com Free SSL CA SpaceSSL CA VeriSign Class 3 Public Primary NetworkCertification Solutions Authority EV -Server G4 CA USERTrust Extended Validation Secure Server CA Certum Trusted Network CA Intermediate Certificate DV SSL CA - G2 EAEko Herri Administrazioen CA - CA AAPP Vascas (2) DigiCert Global CA G2 Getronics CSP Justitie CA - G2 KEYNECTIS SSL RGS Cybertrust Public SureServer SV CA Trustwave Domain ValidationSwissSign CA Silver CA - G2 COMODO SHA-256 Domain Validation Secure Server CA thawte Primary Root CA - G3 QuoVadis CSP - PKI Overheid CA - G2 CLASS 2 KEYNECTIS CA Intel External Basic Issuing CA 3A AffirmTrust Networking Vodafone (Corporate Services 2009) Telstra RSS Issuing CA1 SSL.com High Assurance CA Siemens Internet CA V1.0 Network Solutions DV Server CA Volusion nazwaSSL C=TW, O=Chunghwa Telecom Co., Ltd., OU=Public Certification Authority - G2 DKHS Device CA Certum Global Services CA SHA2 C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority Symantec Class 3 Secure Server CA - G4 MarketWare Server CA Vodafone (Corporate Domain 2009) AC Ministere - Secteur public developpement durable RapidSSL CA Aetna Inc. Secure CA2 Trustwave Organization Validation CA Baltimore CyberTrust Root KPN PKIoverheid Organisatie CA - G2 DPDHL TLS CA I3 GeoTrust DV SSL CA T-TeleSec GlobalRoot Class 2 Trend Micro CA DigiCert SHA2 Extended Validation Server CA COMODO SHA-256 Extended Validation Secure Server CA nazwaSSL IT SSLC=it, SHA2 O=Banca d'Italia, OU=Servizi di certificazione dei sistemi informatici GeoTrust SSL CA - G2 Class 2 Primary CA VeriSign Class 3 Secure Server CA - G3 AddTrust External CA RootInCommon Server CA UTN - DATACorp SGC Cybertrust Japan Public CA G3 Apple IST CAGeoTrust 2 - G1 DV SSL CA - G4 D-TRUST Root Class 3 CA 2 2009 Southern Company External Issuing CA 1 TERENA eScience SSL CA Symantec Class 3 ECC 256 bit Extended Validation CA DOMENY.PL OV Certification Authority Verizon Public SureServer CA G14-SHA1 DigiCert High Assurance EV CA-1 WebSpace-Forum Server CA RapidSSL SHA256 CA Staat der Nederlanden Organisatie CA - G2 www.lh.pl Secure Business Services CA Certum Organization Validation CA SHA2 Microsoft IT SSL SHA1 Register.com CA SSL Services (OV) Aetna Inc. SecureTERENA EV CA SSL High Assurance CA 3 Izenpe.com COMODO High-Assurance Secure Server CA RSA Corporate Server CA v2 GeoTrust DV SSL CA - G3 Virginia Tech Global Qualified Server CA DOUGLAS Group CA - G1 COMODO Domain Validation Secure Server CA 2 Verizon Akamai SureServer CA G14-SHA2 GeoTrust SSL CA - G4 Bechtel External Policy CA 1 PositiveSSL CA D-TRUST SSL Class 3 CA 1 2009 KEYNECTIS Extended Validation CA Swisscom Rubin CA 1 ABB IntermediateGeoTrust CA 3 Global CA TWCA Secure Certification Authority Intel External Basic Policy CA Plex Devices High Assurance CA2 DREAMHOST SSL CA GlobalSign Organization Validation CA Volusion GlobalSign Domain Validation CA - SHA256 - G3 SGTRUST CERTIFICATION AUTHORITY EuropeanSSL Server CA GlobalSign Extended Validation CA - SHA256 - G2 SwissSign Server Silver CA 2008 - G2 DOUGLAS Group IS CA - G1 DigitPA CA1 DigiCert High Assurance EV Root CA K Software Certificate Authority (OV) Intesa Sanpaolo CA Servizi Esterni Enhanced STRATO SSL - G2 DigiCert ECC Secure Server CA GlobalSign Organization Validation CA -AC G2Serveurs - Secteur public developpement durable K Software Certificate Authority (DV) thawte Extended Validation SHA256 SSL CA OptimumSSL CA COMODO SSL CA 2 InfoCert Web Certification Authority GlobeSSL CA TeleSec ServerPass CA 2 ABB Issuing CA 6 DigiCert High AssuranceWellsSecure CA-3 CertificateWellsSecure Authority Public Root CertificateSwisscom Authority Root CA 1 Entrust Education Shared Service Provider GeoTrust DV SSL CA - G2 Gandi Standard SSL CA Trusted Root CA G2 AlphaSSL CA - SHA256 - G2 GlobalSign RootSign Partners CA DOMENY.PL DV Certification Authority LiteSSL CA IEXTCA-SSL.ibechtel.com KPN Corporate Market CSP Organisatie CA - G2 NCC Group Secure Server CA G2 USERTrust Secure Server CA Postecom CS3 Entrust Certification Authority - L1C SecureCore SHA-1 DV CA Cybertrust Japan Public CA G2 Certum CA Intesa Sanpaolo CA Servizi Esterni DigiCert Secure Server CA Ford Motor Company - Enterprise CA Digi-Sign CA Digi-SSL Xp UTN-USERFirst-Hardware GlobalSign Gandi Pro SSL CA TrustSign BR Certification Authority (DV) IEXTCA-SSL.ibechtel.com Staat der Nederlanden Root CA - G2 WebSpace-Forum Essential CA Camerfirma AAPP II - 2014 Configuration AusCERT Server CA Bechtel External Policy CA 1 Hostpoint DV SSL CA - G2 SECOM Passport for Web SR 3.0 CA Camerfirma Corporate Server II - 2015 SECOM Passport for Web EV 2.0 CA GlobalSign Domain Validation CA icewarp.com (IceWarp Domain Validation CertificationGlobeSSL Authority) CA Register.com CA SSL Services (DV) GlobalTrust Certification Authority Entrust CertificationEuropeanSSL Authority High - L1K Assurance Server CA UIS-IsuB1-CA Eusko Jaurlaritzako langileen CA - CA personal Gobierno Vasco LuxTrust rootVR IDENTCA EXTERNAL ROOT CA 2011 RapidSSL SHA256 CA - G3 Certum Level IV CA GlobalSign Root CA McAfee OV SSL CA Intel ExternalWellsSecure Basic Issuing Public CA Root3B Certification Authority 01 G2 DigiCert Global Root CA TrustSign BR Certification Authority (OV) Google Internet Authority G2 Certum Level II CA YourNet SSL for business2 Camerfirma Corporate Server - 2009GlobalSign Entrust Managed Services Commercial Public Root CA UIS-IntB-CA Network Solutions Certificate Authority ESG Organisatie CA - G2 CNNIC SHA256 SSL CNNIC DQ SSL STRATO SSLTrust Provider B.V. DV SSL CA - G2 Alpha CA TBS X509 CA business NII Open Domain CA - G4 ATT Wi-Fi Services Root Certificate Authority G2 Chambers of Commerce Root - 2008 TERENA SSL CA Entrust.net Certification Authority (2048) GlobalSign Organization Validation CA - SHA256 - G2 Configuration Digi-Sign CA Digi-SSL Xs GeoTrust SSL CA DREAMHOST SSL DOMAIN VALIDATED CA VR IDENT SSL CA 2011 LuxTrust Qualified CA WellsSecure Certification Authority 01 G2 Entrust Certification Authority - L1M GlobalSign EC Administration CA1 D-TRUST Root Class 3 CA 2 EV 2009 NSW-DEC-ISS-CA1 USERTrust ECC Certification Authority Intermediate Certificate DV SSL CA DigiCert SHA2 High Assurance Server CAKDDI Web Communications Certification Authority COMODO RSA Domain Validation Secure Server CA 2 DPDHL TLS SHA2 CA I3 KPN Corporate Market CSP Justitie CA - G2 C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2 GlobalSign Domain Validation CA - SHA256 - G2 WoSign Server Authority GlobalSign Extended Validation CA - SHA256 - G2 RapidSSL Enterprise CA Internet Network Information Center EV Certificates Root CNNIC ROOT ICPEdu GlobalSign CloudSSL CA - SHA256 - G3 COMODO RSA Organization Validation Secure Server CA QuoVadis Root Certification Authority D-TRUST SSL Class 3 CA 1 EV 2009 AlphaSSL CA - G2 C=US, O=U.S. Government, OU=NASA,C=US, OU=CertificationO=U.S. Government, Authorities, OU=SSA, OU=NASA OU=Social Operational Security AdministrationCA Certification Authority

Flash SSLGenie GlobalSign Intel External Issuing CA 6A C=US, O=U.S. Government, OU=Department of the Treasury, OU=Certification Authorities, OU=OCIO CA GlobalSign Extended Validation CA - G2 Camerfirma AAPP - 2012VeriSign Class 3 Secure Server CA -USERTrust G3 ECC Extended Validation Secure Server CA Southern Company External Issuing CA 1 CNNIC EV SSL InCommon ECC Server CA COMODO RSA Domain Validation Secure Server CA 3 COMODO RSA Extended Validation Secure Server CA 2 UIS-IntB-CA The Walt Disney Company Root CA Virginia Tech Global Qualified Server CA Entrust Root CertificationEntrust Authority Certification - G2 Authority - L1K UIS-IntB-CA GlobalSign Organization Validation CA - SHA256 - G2 C=US, O=U.S. Government, OU=NASA, OU=Certification Authorities,IEXTCA-SSL.ibechtel.com OU=NASA Operational CA UIS-IsuB1-CA CrossTrust OV CA3 AWS Corporate CA G2 Trusted Root CA SHA256 G2 YourNet SSL for domain2 CNNIC SSL QuoVadis Root CA 2 G3 ATT Wi-Fi ServicesC=US, O=U.S.Corporate Government,C=US, Certificate O=U.S. OU=DepartmentAuthority Government,C=US, G3 O=U.S. OU=Departmentof the Treasury,Government, OU=Certification of Homeland OU=Department Security, Authorities, of OU=CertificationHomeland OU=OCIO Security, CAAuthorities, OU=Certification OU=DHS Authorities, CA4 OU=DHS CA4 DigiCert SHA2 Secure Server CA COMODO RSA Certification Authority Symantec Class 3 Secure Server CA - G4 GlobalSign Domain Validation CA - G2 Wells Fargo Certificate Authority WS1Symantec Class 3 ECC 256 bit SSL CA - G2 The Walt Disney Company Issuing CA Sonera Class2 CA Entrust Root Certification Authority COMODOcPanel RSA WoSignDomain Class 1 DV Server CA G2 Validation Secure ServerATT CA Wi-Fi Services Root Certificate Authority G3 EINS/PKI Public Certification Authority V3 C=US, O=U.S. Government, OU=Department of the Treasury, OU=Certification Authorities, OU=US Treasury Root CA Entrust Certification Authority - L1M GlobalSign Domain Validation CA - SHA256 - G2 Migros Root Certification Authority EC-AL Symantec Class 3 EV SSL SGC CA - G2 InCommon IGTF Server CA Coop System CA 1 WoSign Class 3 OV ProWoSign Server Class CA 1 DV Server CA DOD ID SW CA-38 ATT Wi-Fi Services Partner Certificate Authority G3 CrossTrust DV CA3 Migros CA Class1 EC-UR 360 OV Server CA UNIWUE-CA - G01 COMODO RSA Extended Validation Secure Server CA Intel External Issuing CA 6B DHBW CA - G01 QuoVadis Global SSL ICA G3 Entrust Certification Authority - L1E Government CA HFK-BREMEN-CA 360 OV Server CA G2 Government CA Universitaet Oldenburg PKI VeriSign Class 3 International ServerThawte CA SGC - G3CA - G2 DOD ID SW CA-37 VeriSignOracle SSL CA - G2Class 3 Public Primary Certification Authority - G5 TeleSec ServerPass Extended Validation Class 3 CA WoSign CA Free SSL Certificate NORDAKADEMIE CA-01 T-TeleSec GlobalRoot Class 3 Western Digital Technologies Certification Authority DFN-Verein-GS-CA - G02 Belgium Root CA3 DoD Root CA 3 JGU CA - G01 Symantec Class 3 EV SSL CA - G3 YourNet SSL for business WoSign Class 2 IV Server CA G2 Certification Authority of WoSign subito. Dokumente aus Bibliotheken e.V. CA - G01 EC-ACC Coop Root CA 1 rbb CA VeriSign Class 3 Extended Validation SSL SGC CA C=US, O=Entrust, OU=Certification Authorities, OU=EntrustDoD Interoperability Managed Services Root CA Root 2 CA DKRZ CA - G02 HS-EL CA WoSign Class 4 EV Server CA Certinomis - Easy CA WoSign Class 3 OV Server CA Universitaetsklinikum Freiburg CA - G01 HS Fulda CA - G02 Bayerische SSL-CA-2015-01 LRZ-CA - G01 WISeKey CertifyID Advanced Services CA 3 Cybertrust SureServer EV OCSP CA WISeKey CertifyID Advanced Services CA 4 WoSign Class 3 OV Server CA G2 DFN-Verein CA Services KAGOYA JAPAN Certification Authority Symantec Class 3 ECC 256 bit EV CA - G2 WoSign Class 3 OV Pro Server CA G2 BA Sachsen Staatliche Studienakademie Bautzen CA Bayerische SSL-CA-2015-02 HHS-FPKI-Intermediate-CA-E1 EC-GENCAT Belgium Root CA4 Helmholtz-Zentrum fuer Infektionsforschung OISTE WISeKey Global Root GA CA WoSign Class 2 IV Server CA Technische Fachhochschule Georg Agricola zu Bochum - CA Osaka University Public RootCA Certinomis - Root CA Hochschule Niederrhein CA - G01 PIK-CA - G01 Deutsche Kinemathek CA Universitaet Paderborn CA - G01 Federal Common Policy CA Hochschule Offenburg CA Government CA Universitaet Duisburg-Essen CA -G01 QuoVadis Root CA 3 WoSign Class 4 EV Server CA G2 Configuration Universitaet Halle CA DBFZ CA NII Open Domain CA - G3 Symantec Class 3 EV SSL CA - G2 GlobeSSL DV Certification Authority 2 WoSign CA Free SSL Certificate G2 YourNet SSL for domain WebSpace-Forum ServerTrustAsia CA IIRSA DV SSL Server CA Deutsches Archaeologisches Institut - CA G01 Trustwave Client Authentication Certification Authority TrustAsia RSA OV SSL Server CA Cybertrust Global Root Mathematisches Forschungsinstitut Oberwolfach gGmbH CA - G01 ISAS CA - G01 Fachhochschule Landshut CA - G01 Configuration ZBW CA - G01 PTB CA Schloss Dagstuhl - LZI GmbH CA - G01 360 EV Server CA G2 Belgium Root CA2 WISeKey CertifyID Advanced G1 CA Federal Bridge CA 2013 SSL.com Premium EV CA ifn-magdeburg CA-G01 BfR CASTIFTUNG PREUSSISCHER KULTURBESITZ - CA FZJ Certification Authority - G02 XRamp Global Certification Authority Universitaet Potsdam CA - G01 C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 K Software Certificate Authority (OV) 2 BTU-CA (G01 2008) SECOM Passport for Web SR 2.0 CA Federal Bridge CA 2013 HSRM-CA EC-SAFP PH Heidelberg CA GEOMAR CA - G02 COMODO Extended Validation Secure Server CA Digi-Sign CA Digi-SSLGlobeSSL OV Certification Authority 2 Verizon Public SureServer EV SSL CA G14-SHA2 SecureCore RSA DV CA HS-Ulm-CA Jacobs University CA - G01 FH Potsdam CA - G01 UNIVERSITAET LEIPZIG CA RapidSSL SHA256 CA - G2 Cybertrust Japan EV CABetrusted G2 Production SSP CA A1 VeriSign Class 3 Extended Validation SSL CA SignSec Certification Authority HAW Ingolstadt CA - G01 RUM-CA-G Zertifizierungsinstanz GlobeSSL EV Certification Authority 2 HMTM Hannover CA FHGE CA - G01 CrossTrust OV CA1 BVB-CA CrossTrust DV CA1 SSL.com High Assurance CA DIW Berlin CA Uni-HD2-CA BSH-CA GEI CA - G01 EINS/PKI Public Certification Authority V2 COMODO Extended Validation Secure Server CA 2 SHA-1 Federal Root CA TU Dresden CA - G02 MPG CA HS Ludwigsburg CA - G01 HS OWL CA - G01 USERTrust RSA Domain Validation Secure Server CA GeoTrust DV SSL SHA256 CA - G2 Gandi Standard SSLCybertrust CA 2 Public SureServer EV CA DFKI-CA - G01 Network Solutions OV Server CA 2 Veterans Affairs Device CA B2 SSL.com DV CA HS-Harz-CA Ohm CA - G01 Thawte SSL CA USERTrust RSA Extended Validation Secure Server CA Fachhochschule Aachen CA - G01TH Wildau CA USERTrust RSA Certification Authority Uni Witten/Herdecke CA - G01 FZD-CA - G02 ZKM-EDV Executive Office of the President CA-B8 HTWG KN CA thawte DV SSL CA - G2 thawte Extended Validation SSL CA USERTrust RSA Organization Validation Secure Server CA TBS X509 CA business 2 Hochschule fuer Technik und Wirtschaft Berlin BAW CA IdenTrust ACES CA 1 HWR Berlin CA WISeKey CertifyID Advanced Services CA 2 CA Universitaet des Saarlandes Hochschule fuer angewandte Wissenschaften FH Hof CA - G01 Universitaet-Goettingen CA DFN-WiNShuttle-CA - G02 HS Magdeburg Stendal (FH) CA - G01 CSP SSL Service CA 5 MPIE-CA - G01 McAfee OV SSL CA 2 thawte SSL CA - G2 COMODO Certification Authority HAW Hamburg CA - G02 FH-Flensburg CA - G02 Servision Certification Authority K Software CertificateTrusted Authority Secure (DV) 2Certificate Authority 5 HS Reutlingen CA - G01 KeyNet Systems RSA DV CA Fachhochschule Wuerzburg-Schweinfurt CA 3 (FHWS-CA 3) GESIS-CA Bundesanstalt fuer IT-Dienstleistungen CA - G01 DOD CA-28 TUB-CA IWM CA - G01 BMMV CA - G 01 Fritz-Haber-Institut CA VeriSign Class 3 SSP Intermediate CA - G2 UniKoeln CA Gandi Pro SSL CA 2 thawte Primary Root CA GeoTrust Extended Validation SHA256 SSL CA TERENA SSL CA 2 DST ACES CA X6 TU Bergakademie Freiberg CA (TUBAF-CA) Hochschule Muenchen CA Deutsche Telekom AG Helmholtz-Zentrum fuer Umweltforschung GmbH - UFZ CA - G01 Umweltbundesamt CA - G01 Thawte DV SSL CA EssentialSSL CA FH-Erfurt-CA TBS X509 CA pro hosting 2 DigiCert Grid Trust CA G2 DFN-CERT Services GmbH CA - G02 GRS CA HSRW CAHelmholtz Zentrum Muenchen CA - G01 Network Solutions DV Server CA 2 MPIZ CA Zertifizierungsstelle FH Duesseldorf - G02 RapidSSL SHA256 CA - G4 BlackCert GeoTrust Primary Certification Authority - G3 TU Dortmund CA - G01 GeoForschungsZentrum Potsdam CA - G01 thawte EV SSL CA - G2 Global-Uni-Ulm-CA StartCom Class 1 Client CA DigiCert Secure Auth CA DIPF CA - G02 BBAW-CA 1 SSL.com Premium EV CA IPK Gatersleben CA - G02 C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority TU Clausthal CA - G02 Universitaet Bremen CA Ernst Moritz Arndt Universitaet Greifswald - G02 GeoTrust SHA256 SSL CA DoD Interoperability Root CA 1 DIfE CA CA der LUH (UH-CA) - G03 HS Hannover CA - G01 DigiCert Federated Healthcare CA HS Merseburg CA Institut fuer Weltwirtschaft an der Universitaet Kiel CA - G01 WHZ Zwickau CA WebSpace-Forum Essential CA II HGB Leipzig CA - G02 RHRK-CA - G02 Go Daddy Secure Certification Authority GeoTrust Secure Site Starter DV SSL CA - G1 InCommon RSA Server CA PHKA CA Uni-Konstanz CA-S001 IPF CA - G01 Secure Site Starter DV SSL CA - G2 DigiCert Federated Trust CA IAP CA - G01 thawte EV SSL CA - G3 StartCom Class 1 Primary Intermediate Client CA Uni Kiel CA - G02 HTW-Dresden CA - G02 TeliaSonera Server CA v1 HMT-LEIPZIG-CA Alfred-Wegener-Institut CA - G01 DOD CA-27 Fraunhofer Service CA - G01 DoD Root CA 2 FH-Westkueste CA MDR CA GeoTrust DV SSL SHA256 CA HKI Jena CA - G01 FHWF-CA StartCom Class 1 DV Server CA FH Muenster CA - G01 DigiCert Assured ID Root CA FH Koeln CA - G01 HS NB - CA - G02 Kuehne Logistics University GmbH CA PH-FR CA HTWK Leipzig CA Uni Flensburg CA LSKN CA Intermediate Certificate DV SSL CA - G3 StartCom Class 4 EV Server CA Visa eCommerce Root DLA Marbach CA - G01 Fachhochschule Aschaffenburg TERENA eScience SSL CA 3 FHB-CA Visa eCommerce Issuing CA Actalis Authentication CA G2 RWTH Aachen CA DLR CA - G02 BSZ-BW CA - G02 NECLAB-CA StartCom Class 3 OV Server CA StartCom Certification Authority AffirmTrust Commercial DigiCert Assured ID CA-1 Hochschule Lausitz CA Deutscher Bundestag CA - G01 UHH CA - G02 HfWU UNIVERSITAETSmedizin. Mainz - CA - G01 VeriSign Universal Root Certification Authority Campus Berlin-Buch CA - G02 StartCom Certification Authority TUD CA G01 FZI CA - G01 LIKAT CA Universitaet Bonn CA Universitaet Passau CA - G01 WoSign Class 3 OV Pro Server CA G2 DFG-CA FH Neu-Ulm CA - G01 TeliaSonera Root CA v1 ORC ECA SW 5 Starfield Secure Certification Authority StartCom Class 3 Primary Intermediate Server CA IHP-CA DFN-Verein PCA Global - G01 TERENA SSL CA 3 Juur-SK Hochschule Deggendorf CA - G01 Universitaet Jena CA - G01 FH-Coburg CA HSKA-CA EAH-CA - G01 HS Kempten CA HZB CA Hochschule Bremerhaven CA ZIB-CA Actalis Authentication CA G3 FV Berlin - PKI CA HS-WOE CA - G01 Hochschule Hamm-Lippstadt CA - G01 StartCom Extended Validation Server CA StartCom Class 2 Primary Intermediate Server CA PH Ludwigsburg CA - G01 Buypass Class 2 CA 2 Trend Micro S2 CA Technische Universitaet Braunschweig CA StartCom Class 1 Primary IntermediateStartCom Server Class 2 CA IV Server CA IDS-CA - G01 Deutscher Wetterdienst CA - G01 FH Augsburg CA - G02 ECA Root CA 2 Hochschule Osnabrueck CA - G 01 Symantec Class 3 Secure Server SHA256 SSL CA HS-WGT-CA-G02 StartCom Class 3 OV ServerActalis CA Authentication Root CA Freie Universitaet Berlin - FU-CA - G01 WZB CA Leuphana Universitaet Lueneburg CA Fachhochschule Luebeck CA - G01 HfT-Stuttgart CA-G01 DESY CA - G02 HU-CA BSB-CA Hochschule Bonn-Rhein-Sieg CA - G01 CA der Westfaelischen Hochschule - G01 GSI CA 02 HTWM CA Buypass Class 2 Root CA Autoridad de Certificacion Firmaprofesional CIF A62634068 HydrantID SSL ICA Fachhochschule Nordhausen CA - G01 MPI GemeinschaftsgueterFA CA Ludwigsburg CA IFW Dresden CA Buypass Class 3 CACertification 2 Authority of WoSign G2 Symantec Class 3 Extended Validation SHA256 SSL CA Fachhochschule Hannover CA AC Firmaprofesional - INFRAESTRUCTURA Certigna SSL PRIS Hochschule Ruhr West CA IASS Potsdam CA KLASS3-SK 2010 Evangelische Fachhochschule RWL CA - G01 UdK Berlin CA Deutsches Herzzentrum Berlin Zertifizierungsstelle TeliaSonera Server CA v2 HydrantID EV SSL ICA G1 GWDG CA ZIVIT CA - G01 HS-Aalen-CA-G01 Sachsen Global CA CA der Universitaet zu Luebeck RFH Koeln CA TuTech Innovation GmbH Deutsche Sporthochschule Koeln - CA HafenCity Universitaet Hamburg CA - G01 ZIVIT CA - G01 ZZF Potsdam CA - G01 C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority Swisscom Root CA 2 IdenTrust ECA 4 SRH Hochschule Heidelberg CA-G01HIS GmbH CA Buypass Class 3 Root CA QuoVadis Global SSL ICA Actalis Extended Validation Server CA G1 COMODO ECC Domain Validation Secure Server CA 2 FH-Frankfurt a.M. - CA Fachhochschule Kiel HAW-CA AC Firmaprofesional - CA1 Hochschule Heilbronn CA-G02 Max-Planck-Institut fuer Biophysik ZIT-CAIPHT-JENA-CA QuoVadis Global SSL ICA G2 Ruhr-Universitaet Bochum CA TiHo Hannover CA TeleSec ServerPass DE-2 HS Mannheim CA SECOM Passport for Web EV CA Universitaet Bayreuth CA (UNIBT-CA) G01 Uni Hildesheim CA HZG CA WoSign Class 3 OV Server CA G2 BU Weimar CA - G02 HSU CA - G01 ZALF CA FH-RO CA - G02 FH Stralsund CA - G02 Freie Hansestadt Bremen CA - G01 Charite CA - G02 C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1QuoVadis Europe SSL CA G1 GeoTrust Extended Validation SSL ORCCA - G2ECA SW 4 DNB-CA Zertifizierungsstelle Universitaet Muenster - G02 Uni Bamberg CA - G02 CA der Universitaet Bielefeld - G02 Swisscom Smaragd CA 2 Universitaet Stuttgart CA - G01 AC CAMERFIRMA AAPP QuoVadis Root CA 2 HE CA - G02Landeshauptstadt Erfurt Stadtverwaltung CA - G01 FHDO-CA Global - G01 Universitaet Giessen S CA - G01 FHJ CA - G01 SwissSign EV Gold CA 2009 - G2 EVHN CA - G01 FH-OOW CA - G02 Hochschule Darmstadt AC Camerfirma Express Corporate Server v3 Deutsche Telekom Root CA 2 LMU-CA Leibniz-Institut fuer Astrophysik Potsdam (AIP) CA - G01 EE Certification Centre Root CA COMODO ECC Domain Validation Secure Server CA Hochschule fuer Film und Fernsehen Konrad Wolf CA FLI CA Certigna Bundesamt fuer Kartographie und Geodaesie CA HS-ZIGR CA TUHH CA in DFN-PKI Global - G01 Buypass Class 2 CA 1 Trustis Healthcare TT Issuing Authority T-Systems SfR CA 2 hbz NRW CA - G02 Uni-Siegen CA - G02 COMODO Client Authentication and Secure Email CA Fachhochschule Bielefeld UniBwM CA-G01 QuoVadis EV SSL ICA G1 TU Chemnitz Certification Authority - TUC/URZ CA G3 HS Bochum CA - G01 Nestle External CA UNI-FFM CA Chambers of Commerce Root UAUX-CA DKFZ CA FHW CA - G01 KLASS3-SKCOMODO 2010 ECC Certification Authority Universitaet Erfurt CA - G01 KIT-CA HS Anhalt CA - G02 Hochschule Bremen CA 1 Kath. Universitaet Eichstaett-Ingolstadt CA - G01 GeoTrust Primary CertificationGeoTrust Authority EV SSL CA - G5 Uni Marburg CA - G02 hswca - G02 Bundesamt fuer Strahlenschutz CA Uni Rostock CA - G02 FCH CA - G02 Fachhochschule Giessen-Friedberg CA - G02 FH-SWF CA Shared Business CA SwissSign3 Gold CA - G2 BLB Karlsruhe CA BuypassCOMODO Class 2 CA ECC 2 Organization Validation Secure Server CA VR IDENT SSL CA 2016 HfMT Hamburg CA - G01 HydrantID SSL ICA G2 Leibniz-Institut fuer Astrophysik Potsdam (AIP) CA - G01 FernUniversitaet in Hagen Global CA Uni-Osnabrueck RZ-CA G-002 FAU-CA Beuth Hochschule Berlin CA C=GB, O=Trustis Limited, OU=Trustis FPS FF Issuing Authority FA Ludwigsburg CA Uni-Wuppertal CA Zertifizierungsstelle des UKSH HEAL-LINK Hellenic Academic Libraries Link CA R1 KatHO NRW CA - G01 DFN-CA Global CA Disig Root R2 Shared Business CA 4 RWI - TD-EDV CA Uni Kassel Certification Authority (UniKassel-CA) - G02 Certigna Services CA Musikhochschule Luebeck CA - G01ESO PKI - G02 C=GB, O=Trustis Limited, OU=Trustis FPS Root CA Uni-FR CA - G02 Certigna SSL CA Disig R2I2 Certification Service Paedagogische Hochschule Weingarten CA Leibniz-Institut fuer Nutztierbiologie CA - G01 Global-UNITUE-CA 01 TeleSec ServerPass DE-1 Europa-Universitaet Viadrina CA Max Rubner-Institut CA - G01 Institute of Shipping Economics and Logistics (ISL) - CA Uni Duesseldorf CA-G01 MHH CA SwissSign Server GoldSwissSign CA 2014 -Server G22 Gold CA 2008 - G2 Zertifizierungsstelle der TUM COMODO ECC Extended Validation Secure Server CA SwissSign EV Gold CA 2014 - G22 TU Ilmenau CA FHW-CA HS Ansbach CA GeoTrust EV SSL CA - G4 Uni Regensburg CA - G01 HAWK-HHG-CA - G02 Aristotle University of Thessaloniki Central CA R4 Hongkong Post e-Cert CA 1 - 15 DIMDI CA - G01 HBC-Global CA - G 01 HFU CA - G01 MPIfG-CA C=GB, O=Trustis Limited, OU=Trustis FPS TT Issuing Authoritye-Szigno SSL CA 2014 UTN-USERFirst-Client Authentication and Email Uni Magdeburg CA Hongkong Post Root CA 1 Hellenic Academic and Research Institutions RootCA 2011 FH Regensburg CA Uni. Hohenheim CA - G01 Microsec e-Szigno Root CA 2009 Technological Educational Institution of Central Macedonia CA R2 bgr-ca Thuenen-Institut CA - G01 Hochschule fuer Gestaltung KarlsruheUniversitaet CA -Vechta G01 CA - G01 Hongkong Post e-Cert CA 1 - 10 COMODO SHA-2 Pro Series Secure Server CA COMODO Pro Series Secure Server CA Hongkong Post e-Cert CA 1 - 14

National and Kapodistrian University of Athens CA R2 Aristotle University of Thessaloniki Central CA R5 National and Kapodistrian University of Athens CA R1 AAA Certificate Services Greek Academic Network CA R2CEDEFOP CA R1