# webpki-root-certs

This is a crate containing Mozilla's trusted root certificates in self-signed
X.509 certificate format.

**If you are using `webpki` or `rustls` you should prefer `webpki-roots` - it is
more space efficient and easier to use.**

This crate is inspired by [certifi.io](https://certifi.io/en/latest/) and uses the data provided by the
[Common CA Database (CCADB)](https://www.ccadb.org/).

# About

The `webpki` and `rustls` ecosystem represent trust anchors with the
`webpki::TrustAnchor` type, containing only the data used as inputs for the [RFC
5280] certificate path validation algorithm. In some instances (e.g. when
interacting with native platform certificate verifiers) it may be required to
provide trust anchors as full X.509 self-signed certificates.

Compared to `webpki-roots` this crate contains the full self-signed certificate
DER data for each trust anchor is included in `webpki_roots`.

[RFC 5280]: https://www.rfc-editor.org/rfc/rfc5280#section-6

# License

The underlying data is MPL-licensed, and `src/lib.rs` is therefore a derived work.

# Regenerating sources

Sources are generated in an integration test, in `tests/codegen.rs`. The test
will fail if the sources are out of date relative to upstream, and update
`src/lib.rs` if so. The code is generated in deterministic order so changes
to the source should only result from upstream changes.