Comodo Root CA, when did it become a member of...

I’m writing up a report to distribute to my clients and needed to know the effective dates and/or versions of software of when the Comodo Root CA became a trusted member for each CA list.

For example, http://www.mozilla.org/projects/security/certs/included/#Comodo points to the fact that Comodo was added to Mozilla’s Trusted Root CAs list starting from Firefox v3.0.2.

Chrome states that it uses the underlying OS’s Root CA list.

I found Microsoft’s list of Root CA members, but it does not state WHEN Comodo became a member or in what version of Windows, only that it is one.

This is important as I recently signed on with Comodo and need to make sure my clients are running the appropriate OS versions and browsers so they do NOT have to manually add the Root CA to their trust list.

Comodo has been in Mozilla’s Root CA program since before Phoenix/Firebird was renamed Firefox under both ‘AddTrust’ and ‘UserTrust’. (Various different CA names) The one you link to is ‘Comodo Certification Authority’, which we use mostly as a Cross Signed Intermediate. It’s safe to say all versions of Firefox support Comodo certificates issued via the ‘AddTrust External CA Root’, which 99.999% of our certs are.

The AddTrust External CA Root was added to the Microsoft Root CA program around the time Windows 7 hit the retail market, which was in October 2009. Both Windows 7 and Vista have automatic Root CA updates (but can be disabled by a SysAdmin) whereas NT 5.0 Family (2000, 2003, XP) all need to update via a file (rootupd.exe)

Chrome on Safari and Unix like Operating Systems such as Linux will rely on ‘libnss’, which is what Mozilla uses in ALL of their products. Chrome on Windows will make use of the Windows certificate stores.

I will have to look into the nss keystore we and other clients are using to make sure the Comodo CA is included in older versions of linux.

As far as IE is concerned, that would probably indicate that IE v8 and above would natively support Comodo - unfortunately in the enterprise environment more often than not automatic CA updates aren’t going to be unabled (I know we don’t do it automatically).

Thanks for the reply!

Most if not all bundle their browser with it. It’s not directly tied to the Linux kernel.

As far as IE is concerned, that would probably indicate that IE v8 and above would natively support Comodo - unfortunately in the enterprise environment more often than not automatic CA updates aren't going to be unabled (I know we don't do it automatically).

IE in itself does not depend on its own certificate store. It makes use of the Windows one. So it is incorrect to say that IE8 would natively support our certs. In most if not all cases, it would be safe to say having Windows XP with at least IE7 (IE8 preferred for security and stability reasons) and above for a consumer Windows OS.

You’d be surprised on how few Windows sysAdmins tinker with how CA certificates are handled on end-user systems. Servers are another story!

Wow, that’s scary. As far as I see, OV and EV SSLs are no longer signed by USERTrust CA but “COMODO Certification Authority” instead. They are also cross-signed by AddTrust indeed, but I think users on XP without Root Certificate Store update are going to hit an error, aren’t they?