A complete, individually downloadable collection of 120 trusted Root Certificate Authority (CA) certificates in PEM format, sourced from the Mozilla Included Roots programme. Each certificate can be downloaded on its own — useful when your project, application, or embedded system only needs to trust a specific subset of root CAs rather than importing an entire CA bundle.

120 certificates · PEM format (.pem) · Includes newer roots (2020–2023) and established roots · Source: Mozilla CA Certificate Store

About These Certificates

What are Root CA certificates?

Root Certificate Authorities (CAs) are the top-level entities in the public key infrastructure (PKI) trust chain. Browsers, operating systems, and applications ship with a built-in list of trusted root CAs. When a server presents a TLS/SSL certificate, its chain of trust must lead back to one of these roots for the connection to be considered secure.

Why download individual root certificates instead of a full CA bundle?

Full CA bundles (like cacert.pem from curl) contain over 100 certificates. For constrained environments — embedded devices, IoT firmware, minimal containers, or applications that only connect to specific services — importing the entire bundle is unnecessary. Selecting only the roots you need reduces attack surface and keeps your trust store lean.

What is PEM format?

PEM (Privacy Enhanced Mail) is a base64-encoded format for storing cryptographic objects such as certificates. PEM certificates are plain text files beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----. They use the .pem or .crt extension and are the most widely supported format across Linux, macOS, and web servers such as nginx and Apache.

How do I install a downloaded root certificate?

Linux (system-wide): copy the .pem file to /usr/local/share/ca-certificates/ (rename to .crt first on Debian/Ubuntu), then run sudo update-ca-certificates.

macOS: double-click the file and add it to Keychain Access, then set trust to "Always Trust" under the certificate's settings.

Windows: rename to .crt, double-click, and use the Certificate Import Wizard to add it to the "Trusted Root Certification Authorities" store.

Python / requests: pass the file path to the verify= parameter, or append it to your system's CA bundle.

Where do these certificates come from?

These certificates are extracted from the Mozilla CA Certificate Store, the same root store used by Firefox and distributed by curl as cacert.pem. Mozilla maintains this list through its CA Inclusion Policy, which requires CAs to meet rigorous security and audit standards.

Newer Root CAs (2020-2023)

SSL.com EV Root Certification Authority RSA R2Download .pem
OISTE WISeKey Global Root GC CADownload .pem
certSIGN ROOT CA G2Download .pem
Hongkong Post Root CA 3Download .pem
e-Szigno Root CA 2017Download .pem
Autoridad de Certificacion Firmaprofesional CIF A62634068Download .pem
NAVER Global Root Certification AuthorityDownload .pem
AC RAIZ FNMT-RCM SERVIDORES SEGUROSDownload .pem
vTrus Root CADownload .pem
vTrus ECC Root CADownload .pem
HiPKI Root CA - G1Download .pem
GlobalSign Root R46Download .pem
GlobalSign Root E46Download .pem
D-TRUST EV Root CA 1 2020Download .pem
HARICA TLS RSA Root CA 2021Download .pem
HARICA TLS ECC Root CA 2021Download .pem
ISRG Root X2Download .pem
DigiCert TLS RSA4096 Root G5Download .pem
DigiCert TLS ECC P384 Root G5Download .pem
Certainly Root R1Download .pem
Certainly Root E1Download .pem
TrustAsia Global Root CA G3Download .pem
TrustAsia Global Root CA G4Download .pem
Atos TrustedRoot Root CA RSA TLS 2021Download .pem
Telekom Security TLS ECC Root 2020Download .pem
SZAFIR ROOT CA2Download .pem
emSign Root CA - G1Download .pem
emSign ECC Root CA - G3Download .pem
emSign Root CA - C1Download .pem
emSign ECC Root CA - C3Download .pem
ANF Secure Server Root CADownload .pem
TunTrust Root CADownload .pem
Certum EC-384 CADownload .pem
Certum Trusted Root CADownload .pem
Microsoft ECC Root Certificate Authority 2017Download .pem
Microsoft RSA Root Certificate Authority 2017Download .pem
SecureSign Root CA12Download .pem
SecureSign Root CA14Download .pem
SecureSign Root CA15Download .pem
BJCA Global Root CA1Download .pem
BJCA Global Root CA2Download .pem
GTS Root R3Download .pem
GlobalSignDownload .pem
GTS Root R1Download .pem
GTS Root R4Download .pem
Telia Root CA v2Download .pem
D-TRUST BR Root CA 1 2020Download .pem
Atos TrustedRoot Root CA ECC TLS 2021Download .pem
SSL.com TLS ECC Root CA 2022Download .pem
SSL.com TLS RSA Root CA 2022Download .pem
Sectigo Public Server Authentication Root R46Download .pem
Sectigo Public Server Authentication Root E46Download .pem
TWCA CYBER Root CADownload .pem
D-TRUST EV Root CA 2 2023Download .pem
D-TRUST BR Root CA 2 2023Download .pem
OISTE Server Root ECC G1Download .pem
OISTE Server Root RSA G1Download .pem
SwissSign RSA TLS Root CA 2022 - 1Download .pem
Telekom Security TLS RSA Root 2023Download .pem
e-Szigno TLS Root CA 2023Download .pem
TrustAsia TLS RSA Root CADownload .pem
TrustAsia TLS ECC Root CADownload .pem

Established Root CAs

ACCVRAIZ1Download .pem
Actalis Authentication Root CADownload .pem
Atos TrustedRoot 2011Download .pem
Buypass Class 2 Root CADownload .pem
Buypass Class 3 Root CADownload .pem
CA Disig Root R2Download .pem
Certum Trusted Network CADownload .pem
COMODO ECC Certification AuthorityDownload .pem
DigiCert Assured ID Root G2Download .pem
DigiCert Assured ID Root G3Download .pem
DigiCert Global Root G2Download .pem
DigiCert Global Root G3Download .pem
DigiCert Trusted Root G4Download .pem
D-TRUST Root Class 3 CA 2 2009Download .pem
D-TRUST Root Class 3 CA 2 EV 2009Download .pem
Entrust Root Certification AuthorityDownload .pem
GlobalSignDownload .pem
Go Daddy Root Certificate Authority - G2Download .pem
Izenpe.comDownload .pem
Microsec e-Szigno Root CA 2009Download .pem
NetLock Arany (Class Gold) FőtanúsítványDownload .pem
QuoVadis Root CA 1 G3Download .pem
QuoVadis Root CA 2 G3Download .pem
QuoVadis Root CA 3 G3Download .pem
Security Communication RootCA2Download .pem
Starfield Root Certificate Authority - G2Download .pem
Starfield Services Root Certificate Authority - G2Download .pem
T-TeleSec GlobalRoot Class 2Download .pem
T-TeleSec GlobalRoot Class 3Download .pem
TWCA Global Root CADownload .pem
TWCA Root Certification AuthorityDownload .pem
COMODO RSA Certification AuthorityDownload .pem
USERTrust RSA Certification AuthorityDownload .pem
USERTrust ECC Certification AuthorityDownload .pem
GlobalSignDownload .pem
IdenTrust Commercial Root CA 1Download .pem
IdenTrust Public Sector Root CA 1Download .pem
CFCA EV ROOTDownload .pem
OISTE WISeKey Global Root GB CADownload .pem
Certum Trusted Network CA 2Download .pem
Amazon Root CA 3Download .pem
GDCA TrustAUTH R5 ROOTDownload .pem
Amazon Root CA 2Download .pem
Amazon Root CA 1Download .pem
Amazon Root CA 4Download .pem
Hellenic Academic and Research Institutions RootCA 2015Download .pem
GlobalSignDownload .pem
Hellenic Academic and Research Institutions ECC RootCA 2015Download .pem
TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1Download .pem
Certigna Root CADownload .pem
UCA Extended Validation RootDownload .pem
UCA Global G2 RootDownload .pem
SSL.com EV Root Certification Authority ECCDownload .pem
SSL.com Root Certification Authority ECCDownload .pem
SSL.com Root Certification Authority RSADownload .pem
ISRG Root X1Download .pem
Security Communication ECC RootCA1Download .pem
AC RAIZ FNMT-RCMDownload .pem

Root CA Certificate Repository

About These Certificates

Sectigo Public Server Authentication CA DV R36 chain

Newer Root CAs (2020-2023)

Established Root CAs