|Subject:||A Verisign CA certificate was dropped, but is still in use in the wild|
Hello. In release 20141217, the certificate "Verisign Class 3 Public Primary Certification Authority" disappeared. That certificate is still listed as essentially valid on(formerly ): Description: This root CA is the root used for Secure Site Pro Certificates, Premium SSL Certificates and Code Signing Certificates. It is intended to be the primary root used for these products until Q4 2010 when VeriSign transitions to using a 2048 bit root. After that transition this CA will be used as part of a cross certification to ensure legacy applications continue to trust VeriSign certificates and must continue to be included in root stores by vendors. This root is expected to be used in this way at least until 12/31/2013 and vendors should not plan on removing support for this root until officially advised that the root is no longer needed to support certificates or CRL validation. But looking at the (Mozilla "release" source), that certificate is marked as "MUST_VERIFY_TRUST" instead of "TRUSTED_DELEGATOR", which of course makes the mk-ca-bundle.pl script skip it Problem is, many places still use certificates signed by that, and those certificates are not going to expire for quite some time (the server that prompted this investigation, onlinetools.ups.com, has a certificate that will expire at the end of 2016). I'm not sure what the solution should be, and I'm going to publish a new release of Net::UPS that suggests using a different certificate store, but other people may get bitten by the same problem, so I thought I'd give you a heads-up.