This page documents all of domains that Balrog serves, when various applications switched to them, their SSL pinning requirements, and active certificates.
| Domain | Issuer | Serial Number | Primary/Backup | Expiration | Links | Comments |
|---|---|---|---|---|---|---|
| aus5.mozilla.org | DigiCert | 02:39:74:46:BB:F4:1C:48:6B:98:63:A8:54:0B:19:DD | Primary | June 16, 2021 | ||
| 07:10:8B:20:9E:D3:45:6C:EE:88:94:91:44:C4:56:0C | Retired on ???? | ????? | One of these may have been a primary, and the other a backup. This information has been lost to the ether | |||
| 0D:23:43:9A:32:3D:25:C5:A6:C3:2D:76:63:60:05:53 | Retired on June 14th, 2019 | August 13, 2019 | Bug 1369143 | |||
| 07:D5:0D:C7:F3:68:98:2F:AB:5E:19:B9:C5:FB:A1:5C | Retired on July 20, 2017 | July 28, 2017 | Bug 1179339 | |||
| Thawte | 0c:96:80:24:b6:b2:72:81:42:8b:53:a5:24:94:52:fb | Backup | August 14, 2020 | Bug 1369143 | ||
| Unknown | Retired Backup | August 10, 2017 | Bug 1179339 | |||
| aus4.mozilla.org | DigiCert | 0D:91:88:7A:D7:F0:B5:A5:7A:AE:67:45:8D:24:FE:81 | Primary | October 27, 2020 | ||
| 05:5A:F0:03:C4:5E:01:11:4A:D0:5E:24:D7:74:3B:1E | Retired Primary | December 7, 2018 | Bug 732461 | |||
| Thawte | 25:a8:fd:b6:7a:1f:6c:b8:95:99:e0:91:5c:69:71:05 | Retired Backup | September 24, 2017 | Bug 919746 | Explicitly not renewing this cert, per https://bugzilla.mozilla.org/show_bug.cgi?id=1340880#c60 | |
| aus3.mozilla.org | Thawte | 5b:44:41:c9:34:ed:c8:9c:81:b9:32:0d:09:43:45:a9 | Primary | February 7, 2020 | Bug 1340880 | Not possible to have a backup cert because Thawte is the only Issuer compatible with all clients using this domain. |
| Domain | Application | Versions | Issuer Pinned To | HPKP(inning) | Links | Renewable? |
|---|---|---|---|---|---|---|
| aus5.mozilla.org | Firefox | 42.0 and up | Nothing | None | Bug 1116409 | YES - No pinning requirements for some apps, and we can get certs for those that do pin. |
| Fennec | ||||||
| GMP | "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US" "CN=thawte SSL CA - G2,O=thawte, Inc.,C=US" |
|||||
| Thunderbird | 51.0 and up | Nothing | Bug 1182352 | |||
| 42.0 - 50.0 | "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US" "CN=thawte SSL CA - G2,O=thawte, Inc.,C=US" |
Bug 1116409 | ||||
| B2G | Unknown | Nothing | ||||
| SystemAddons | 44.0 and up | Any CA included in Firefox's root store | Bug 1213348 | |||
| aus4.mozilla.org | Firefox | 36.0 - 41.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US" "CN=Thawte SSL CA,O="Thawte, Inc.",C=US" |
Bug 885477 | ||
| Thunderbird | Bug 922264 | |||||
| Fennec | 27.0 - 42.0 | Bug 885477 | ||||
| B2G | Unknown | Nothing | Bug 918068 | |||
| GMP | 37.0 - 41.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US" "CN=Thawte SSL CA,O="Thawte, Inc.",C=US" |
||||
| aus3.mozilla.org | Firefox | 26.0 - 35.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US" "CN=Thawte SSL CA,O="Thawte, Inc.",C=US" |
Bug 921045 | NO - All apps do pinning, and we cannot get certs that are compatible. | |
| 4.0 - 25.0 | "OU=Equifax Secure Certificate Authority,O=Equifax,C=US" "CN=Thawte SSL CA,O="Thawte, Inc.",C=US" |
Bug 586213 | ||||
| Thunderbird | 27.0 - 35.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US" "CN=Thawte SSL CA,O="Thawte, Inc.",C=US" |
Bug 942748 | |||
| 14.0 - 26.0 | "OU=Equifax Secure Certificate Authority,O=Equifax,C=US" "CN=Thawte SSL CA,O="Thawte, Inc.",C=US" |
Bug 751679 | ||||
| aus2.mozilla.org | Firefox | 2.0 - 3.6 | Nothing Nothing |
Bug 302721 | YES - No pinning requirements. We just 302 to another domain at this point, though. | |
| Fennec | <=26.0 | Bug 302721 |