Where does Chrome gets its list of certificate authorities from?

Those are NSS built-in certificates. They are provided through a shared library: /usr/lib/libnssckbi.so (path may be different on your system). That's where Chrome gets them from.
You could list them with certutil like this:

Make a link to the library in ~/.pki/nssdb:

ln -s /usr/lib/libnssckbi.so ~/.pki/nssdb

Then run:

certutil -L -d sql:$HOME/.pki/nssdb/ -h 'Builtin Object Token'

Output:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Builtin Object Token:GTE CyberTrust Global Root              C,C,C
Builtin Object Token:Thawte Server CA                        C,,C 
Builtin Object Token:Thawte Premium Server CA                C,,C 
Builtin Object Token:Equifax Secure CA                       C,C,C
Builtin Object Token:Digital Signature Trust Co. Global CA 1 C,C,C
Builtin Object Token:Digital Signature Trust Co. Global CA 3 C,C,C
Builtin Object Token:Verisign Class 3 Public Primary Certification Authority C,C,C
Builtin Object Token:Verisign Class 1 Public Primary Certification Authority - G2 ,C,  
Builtin Object Token:Verisign Class 2 Public Primary Certification Authority - G2 ,C,C 
Builtin Object Token:Verisign Class 3 Public Primary Certification Authority - G2 C,C,C
Builtin Object Token:GlobalSign Root CA                      C,C,C
Builtin Object Token:GlobalSign Root CA - R2                 C,C,C
Builtin Object Token:ValiCert Class 1 VA                     C,C,C
Builtin Object Token:ValiCert Class 2 VA                     C,C,C
Builtin Object Token:RSA Root Certificate 1                  C,C,C
..................................................................
..................................................................

It get's them from the underlying operating system. You can read about it here:

  • Root Certificate Policy

excerpt from above link

Google Chrome attempts to use the root certificate store of the underlying operating system to determine whether an SSL certificate presented by a site is indeed trustworthy, with a few exceptions.

That page goes on to describe who to contact if you're a root CA provider for the various OSes etc.

References

  • LinuxCertManagement
  • NSS Shared DB And LINUX

In the off chance that you're asking because you actually need to use the list of root CAs, here they are (unfortunately named only by index):

Individual Certificate Files

https://github.com/coolaj86/node-ssl-root-cas/tree/master/pems

Mozilla's Big File of Certificates

http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1

Scripts to Parse the Big File of Certificates

https://github.com/coolaj86/node-ssl-root-cas

https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl

http://curl.haxx.se/docs/mk-ca-bundle.html

General Information about extracting Mozilla's Certificates File

http://curl.haxx.se/docs/caextract.html

Tags:

Fedora

Certificates

Chrome

Recent Posts