Update bundled root certificates for 6.8

[desrosj]

This ticket is for updating the Root Certificates bundle included in WordPress Core for the 6.8 release cycle.

Previously:

• #54207 (5.8.2)
• #50828 (5.5)
• #34935 (4.4.1)
• #30434 (4.4)

Note: Some unexpired legacy 1024-bit certificates are included manually for backwards compatibility. See [35919].

This updates the bundled root certificates that ship with WordPress Core by syncing the ​latest upstream changes from Mozilla as of December 31, 2024.

This also removes several expired legacy certificates that were included for backwards compatibility.

Trac ticket: https://core.trac.wordpress.org/ticket/62811

Cybertrust Global Root has also expired in 2021-12-15

Thanks @todeveni! Updated.

[desrosj]

The attached PR removes the following legacy certificates:

• Cybertrust Global Root - 2021-12-15
• Thawte Server CA - 2020-12-31
• Thawte Premium Server CA - 2020-12-31

Recommending that this is closed in favour of #8137.

Recommending that this is closed in favour of #8137.

Works for me. My initial thinking was to separate the build process and the actual update of the certificates. But don't feel strongly about that at all.

[desrosj]

In 59740:

Security: Introduce Grunt task for updating Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations. To date, updates have only been merged into Core when problems arise using a highly manual process.

This introduces the certificates:upgrade Grunt task to automate the process of updating the included bundle with upstream changes using Composer to manage versioning.

The legacy 1024bit certificates included for backwards compatibility are now maintained in a separate file that is prepended to the built version of the bundle during the relevant Grunt tasks. Some expired certificates from this list have been removed:

• Cybertrust Global Root (expired 2021-12-15)
• Thawte Server CA (expired 2020-12-31)
• Thawte Premium Server CA (expired 2020-12-31)

The Dependabot configuration has also been updated to open pull requests when new releases occur upstream. Going forward, the recommendation is to create a task ticket for updating these certificates with each release when an update is published. See #62811 for an example of this.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
Fixes #62812. See #62811, 50828.

[desrosj]

Looks like there is a 1.5.6 update available.

Trac ticket: https://core.trac.wordpress.org/ticket/62811

[desrosj]

In 59969:

Security: Update composer/ca-bundle to version 1.5.6.

Follow up to [59740].

Fixes #62811.

[desrosj]

In 59974:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 6.7 branch.

See #62811, #62711.

[desrosj]

In 59994:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 6.6 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 59995:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 6.5 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 59996:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 6.4 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 59997:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 6.3 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 59998:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 6.2 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 59999:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 6.1 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 60000:

Security: Update bundled Root Certificates.

🎵 60,000 certs on the wall. 60,000 certs. Take one down, pass it around, 59,999 certs on the wall. 🎵

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

This equals alot of certificates.

Partially merges [59740] and [59969] to the 6.0 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry, joedolson.
Fixes #60000. See #62811, #62711.

[desrosj]

In 60001:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 5.9 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 60002:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 5.8 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 60013:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 5.7 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 60014:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 5.6 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 60015:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [59740] and [59969] to the 5.5 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711.

[desrosj]

In 60016:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [48707], [59740] and [59969] to the 5.4 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711, #50828.

[desrosj]

In 60017:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [48707], [59740] and [59969] to the 5.3 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
See #62811, #62711, #50828.

[desrosj]

In 60018:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [46094], [48707], [59740] and [59969] to the 5.2 branch.

See #62811, #62711, #50828, #45807.

[desrosj]

In 60019:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [46094], [58707], [59740] and [59969] to the 5.1 branch.

See #62811, #62711, #50828, #45807.

[desrosj]

In 60020:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [46094], [58707], [59740] and [59969] to the 5.0 branch.

See #62811, #62711, #50828, #45807.

[desrosj]

In 60021:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [46094], [58707], [59740] and [59969] to the 4.9 branch.

See #62811, #62711, #50828, #45807.

[desrosj]

In 60022:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [46094], [58707], [59740] and [59969] to the 4.8 branch.

See #62811, #62711, #50828, #45807.

[desrosj]

In 60023:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [46094], [58707], [59740] and [59969] to the 4.7 branch.

See #62811, #62711, #50828, #45807.

[desrosj]

In 60024:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [46094], [58707], [59740] and [59969] to the 4.6 branch.

See #62811, #62711, #50828, #45807.

[desrosj]

In 60025:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [37431], [46094], [58707], [59740] and [59969] to the 4.5 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry, paragoninitiativeenterprises, ocean90, DrewAPicture.
See #62811, #62711, #50828, #45807, #36835.

[desrosj]

In 60026:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [37431], [496094], [58707], [59740] and [59969] to the 4.4 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry, paragoninitiativeenterprises, ocean90, DrewAPicture.
See #62811, #62711, #50828, #45807, #36835.

[desrosj]

In 60027:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [34283], [35919], [36570], [37431], [46094], [58707], [59740] and [59969] to the 4.3 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry, paragoninitiativeenterprises, ocean90, DrewAPicture, dd32, rmccue.
See #62811, #62711, #50828, #45807, #36835, #34935.

[desrosj]

In 60028:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [34283], [35919], [36570], [37431], [46094], [58707], [59740] and [59969] to the 4.2 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry, paragoninitiativeenterprises, ocean90, DrewAPicture, dd32, rmccue.
See #62811, #62711, #50828, #45807, #36835, #34935.

[desrosj]

In 60029:

Security: Update bundled Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations.

This updates the ca-bundle.crt file to the latest version, which applies upstream changes from the bundle maintained by Mozilla and keeps all unexpired legacy 1024bit certificates which are kept for backward compatibility purposes (see [35919]).

Partially merges [34283], [35919], [36570], [37431], [496094], [58707], [59740] and [59969] to the 4.1 branch.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry, paragoninitiativeenterprises, ocean90, DrewAPicture, dd32, rmccue.
Fixes #62711. See #62811, #50828, #45807, #36835, #34935.

[desrosj]

I've gone and opened #63165 for the 6.9 cycle.