Mozilla Blocking CCNIC’s CA Too

Profile image of Mattias Geniar

Mattias Geniar, April 03, 2015

Follow me on Twitter as @mattiasgeniar

So it isn’t just Google.

Sucks if you’re ordering your certificates through one of their intermediates, and being duped because of this.

… after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.

Distrusting New CNNIC Certificates


The chain of trust is only as strong as its weakest link. Especially with Certificate Authorities.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.