TIL: Mozilla and CAs

Published May 29, 2025

Today we had an issue at work because Mozilla deprecated some CAs from TRUSTED to MUST_VERIFY. This caused issues with some of our customers and made me do a deep dive into how Mozilla builds up it's CA list, which is used by many people and organizations. Apparently, every April 15 they downgrade CAs that are more than 15 years old. You can find some more information out at their wiki.