Balrog/Client Domains
This page documents all of domains that Balrog serves, when various applications switched to them, their SSL pinning requirements, and active certificates.
Active Certificates
| Domain | Issuer | Serial Number | Primary/Backup | Expiration | Links |
|---|---|---|---|---|---|
| aus5.mozilla.org | DigiCert | 07:D5:0D:C7:F3:68:98:2F:AB:5E:19:B9:C5:FB:A1:5C | Primary | July 28, 2017 | bug 1179339 |
| Thawte | ??? | Backup | August 10, 2017 | ||
| aus4.mozilla.org | DigiCert | 05:5A:F0:03:C4:5E:01:11:4A:D0:5E:24:D7:74:3B:1E | Primary | December 7, 2018 | bug 832461 |
| Thawte | 25:a8:fd:b6:7a:1f:6c:b8:95:99:e0:91:5c:69:71:05 | Backup | September 24, 2017 | bug 919746 | |
| aus3.mozilla.org | Thawte | 14:6A:AB:C3:52:09:8C:4D:51:7B:FA:1B:AA:21:2C:6A | Primary | September 8, 2017 | ??? |
| ??? | ??? | Backup | ??? | ??? |
Pinning Requirements
| Domain | Application | Versions | Issuer Pinned To | HPKP(inning) | Links | Renewable? |
|---|---|---|---|---|---|---|
| aus5.mozilla.org | Firefox | 42.0 and up | Nothing | None | bug 1116409 | YES - No pinning requirements for some apps, and we can certs for those that do pin. |
| Fennec | Nothing | None | bug 1116409 | |||
| GMP | "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
"CN=thawte SSL CA - G2,O=thawte, Inc.,C=US" |
None | bug 1116409 | |||
| Thunderbird | 51.0 and up | Nothing | None | bug 1182352 | ||
| 42.0 - 50.0 | "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
"CN=thawte SSL CA - G2,O=thawte, Inc.,C=US" |
bug 1116409 | ||||
| B2G | ??? | Nothing | None | bug 1116409 | ||
| SystemAddons | 44.0 and up | Nothing | None | bug 1213348 | ||
| aus4.mozilla.org | Firefox | 36.0 - 41.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 885477 | NO - All apps do pinning, and we cannot get certs that are compatible. |
| Thunderbird | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 922264 | |||
| Fennec | 27.0 - 42.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 885477 | ||
| B2G | ??? | Nothing | None | bug 918068 | ||
| GMP | 37.0 - 41.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | |||
| aus3.mozilla.org | Firefox | 26.0 - 35.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 921045 | NO - All apps do pinning, and we cannot get certs that are compatible. |
| 4.0 - 25.0 | "OU=Equifax Secure Certificate Authority,O=Equifax,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 586213 | |||
| Thunderbird | 27.0 - 35.0 | "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 942748 | ||
| 14.0 - 26.0 | "OU=Equifax Secure Certificate Authority,O=Equifax,C=US"
"CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US" |
None | bug 751679 | |||
| aus2.mozilla.org | Firefox | 2.0 - 3.0 | Nothing | None | bug 302721 | YES - No pinning requirements. We just 302 to another domain at this point, though. |
| Fennec | 26.0 and earlier | Nothing | None | bug 302721 |
NB: Beginning with 24.0, Thunderbird started shipping release channel builds of ESR repos. This means that they have not shipped any release builds from Gecko versions other than 24.0, 31.0, 38.0, 45.0, 52.0, etc. The version numbers in the table still apply for Betas shipped from the major versions listed.