The domestic root certificate authority refers to the root certificate in the digital certificate certificate chain from the Chinese manufacturer, and the compatibility of the Chinese manufacturer has not reached 100%, and the only CFCA that meets the domestic root certificate authority at present, and the compatibility can reach 55%, but it can never achieve the historical operating system or browser trust.
At present, it is too late to set up a new domestic root certificate authority, which is mainly issued by international SSL certificate authorities, because these institutions can meet 100% compatibility and have high credit and security, but there are only 4 institutions in the world.
A certificate authority can issue multiple certificates in a tree structure. The root certificate is the topmost certificate of the tree and is the private key used to "sign" other certificates. All certificates signed by the root certificate, when the "ca" field is set to true, inherit the trustworthiness of the root certificate - the signature of the root certificate is somewhat similar to the "notarized" identity in the physical world. This type of certificate is called an intermediate certificate or a subordinate CA certificate. The certificate below the tree also depends on the trustworthiness of the intermediate.
The China Internet Network Information Center (CNNIC) issued fake certificates
In 2009, an employee of the China Internet Network Information Center (CNNIC) applied to Mozilla to add CNNIC to Mozilla's root certificate list and was approved. Later, Microsoft also added CNNIC to the list of root certificates for Windows.
In 2015, due to the discovery that an intermediate CA issued by CNNIC issued a fake certificate for a Google domain [4], many users chose not to trust the digital certificate issued by CNNIC, and raised concerns about CNNIC's abuse of certificate issuing authority.
On April 2, 2015, Google announced that it would no longer recognize e-certificates issued by CNNIC. On April 4, following Google, Mozilla also announced that it would no longer recognize electronic certificates issued by CNNIC.
wosign and startcom: issue false and backward date certificates
In 2016, the certificates of Qihoo 360[11] and its Israeli subsidiary Startcom were denied recognition by Google for the certificates of Wosign, China's largest CA certification authority. Microsoft removed the certificate in 2017.
WoSign and StartCom issued hundreds of certificates with the same serial number in just five days and issued backtracking certificates. Wosign and Startcom issued fake github certificates.