webpki-root-certs

This is a crate containing Mozilla's trusted root certificates in self-signed X.509 certificate format.

If you are using webpki or rustls you should prefer webpki-roots - it is more space efficient and easier to use.

This crate is inspired by certifi.io and uses the data provided by the Common CA Database (CCADB).

About

The webpki and rustls ecosystem represent trust anchors with the webpki::TrustAnchor type, containing only the data used as inputs for the RFC 5280 certificate path validation algorithm. In some instances (e.g. when interacting with native platform certificate verifiers) it may be required to provide trust anchors as full X.509 self-signed certificates.

Compared to webpki-roots this crate contains the full self-signed certificate DER data for each trust anchor is included in webpki_roots.

License

The underlying data is MPL-licensed, and src/lib.rs is therefore a derived work.

Regenerating sources

Sources are generated in an integration test, in tests/codegen.rs. The test will fail if the sources are out of date relative to upstream, and update src/lib.rs if so. The code is generated in deterministic order so changes to the source should only result from upstream changes.