StartCom CA

Thu Jan 27 09:23:47 UTC 2011

On 2011-01-27 09:22, Julio César Rocha wrote:
> StartCom Certification Authority doesn't seem to be included in the
> cacerts.pem bundled in Windows installers for Mercurial 1.7.3. StartCom
> is a valid and, to my understanding, widely used CA so I think it shoud
> be included in the certificate store by default.

Hmm.

I have installed "TortoiseHg (version 1.1.8) / with Mercurial-1.7.3,
Python-2.6.4, PyGTK-2.16.0, GTK-2.16.6" here on Windows 7 x64.

The cacert.pem file installed in

  C:\Program Files (x86)\TortoiseHg\hgrc.d

contains (omissions marked with ...):

<excerpt>
##
## ca-bundle.crt -- Bundle of CA Root Certificates
##
## Converted at: Wed Dec 29 04:12:04 2010 UTC
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## '/mozilla/security/nss/lib/ckfw/builtins/certdata.txt'

...

StartCom Ltd.
=============
-----BEGIN CERTIFICATE-----
MIIFFjCCBH+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCSUwxDzANBgNVBAgT
...
NnQt8M2YI3s3S9r+UZjEHjQ8iP2ZO1CnwYszx8JSFhKVU2Ui77qLzmLbcCOxgN8aIDjnfg==
-----END CERTIFICATE-----

StartCom Certification Authority
================================
-----BEGIN CERTIFICATE-----
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMN
...
lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkyShNOsF/5oirpt9P/FlUQqmMGqz9IgcgA38coro
g14=
-----END CERTIFICATE-----
...
</excerpt>

I think Steve pulls cacert.pem from the link mentioned at

   http://curl.haxx.se/docs/caextract.html

at build time and they say they build their cacert.pem weekly.