Client Domains

This page documents all of domains that Balrog serves, when various applications switched to them, their SSL pinning requirements, and active certificates.

SSL Certificates

Domain Issuer Serial Number Primary/Backup Expiration Links Comments
aus5.mozilla.org DigiCert 02:39:74:46:BB:F4:1C:48:6B:98:63:A8:54:0B:19:DD Primary June 16, 2021    
07:10:8B:20:9E:D3:45:6C:EE:88:94:91:44:C4:56:0C Retired on ????     One of these may have been a primary, and the other a backup. This information has been lost to the ether
0D:23:43:9A:32:3D:25:C5:A6:C3:2D:76:63:60:05:53 Retired on June 14th, 2019 August 13, 2019 Bug 1369143
07:D5:0D:C7:F3:68:98:2F:AB:5E:19:B9:C5:FB:A1:5C Retired on July 20, 2017 July 28, 2017 Bug 1179339  
Thawte 0c:96:80:24:b6:b2:72:81:42:8b:53:a5:24:94:52:fb Backup August 14, 2020 Bug 1369143  
Unknown Retired Backup August 10, 2017 Bug 1179339  
aus4.mozilla.org DigiCert 0D:91:88:7A:D7:F0:B5:A5:7A:AE:67:45:8D:24:FE:81 Primary October 27, 2020    
05:5A:F0:03:C4:5E:01:11:4A:D0:5E:24:D7:74:3B:1E Retired Primary December 7, 2018 Bug 732461  
Thawte 25:a8:fd:b6:7a:1f:6c:b8:95:99:e0:91:5c:69:71:05 Retired Backup September 24, 2017 Bug 919746 Explicitly not renewing this cert, per https://bugzilla.mozilla.org/show_bug.cgi?id=1340880#c60
aus3.mozilla.org Thawte 5b:44:41:c9:34:ed:c8:9c:81:b9:32:0d:09:43:45:a9 Primary February 7, 2020 Bug 1340880 Not possible to have a backup cert because Thawte is the only Issuer compatible with all clients using this domain.

Pinning Requirements

Domain Application Versions Issuer Pinned To HPKP(inning) Links Renewable?
aus5.mozilla.org Firefox 42.0 and up Nothing None Bug 1116409 YES - No pinning requirements for some apps, and we can get certs for those that do pin.
Fennec
GMP “CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US”
“CN=thawte SSL CA - G2,O=thawte, Inc.,C=US”
Thunderbird 51.0 and up Nothing Bug 1182352
42.0 - 50.0 “CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US”
“CN=thawte SSL CA - G2,O=thawte, Inc.,C=US”
Bug 1116409
B2G Unknown Nothing
SystemAddons 44.0 and up Any CA included in Firefox’s root store Bug 1213348
aus4.mozilla.org Firefox 36.0 - 41.0 “CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US”
“CN=Thawte SSL CA,O=”Thawte, Inc.”,C=US”
Bug 885477
Thunderbird Bug 922264
Fennec 27.0 - 42.0 Bug 885477
B2G Unknown Nothing Bug 918068
GMP 37.0 - 41.0 “CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US”
“CN=Thawte SSL CA,O=”Thawte, Inc.”,C=US”
 
aus3.mozilla.org Firefox 26.0 - 35.0 “CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US”
“CN=Thawte SSL CA,O=”Thawte, Inc.”,C=US”
Bug 921045 NO - All apps do pinning, and we cannot get certs that are compatible.
4.0 - 25.0 “OU=Equifax Secure Certificate Authority,O=Equifax,C=US”
“CN=Thawte SSL CA,O=”Thawte, Inc.”,C=US”
Bug 586213
Thunderbird 27.0 - 35.0 “CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US”
“CN=Thawte SSL CA,O=”Thawte, Inc.”,C=US”
Bug 942748
14.0 - 26.0 “OU=Equifax Secure Certificate Authority,O=Equifax,C=US”
“CN=Thawte SSL CA,O=”Thawte, Inc.”,C=US”
Bug 751679
aus2.mozilla.org Firefox 2.0 - 3.6

Nothing

Nothing

Bug 302721 YES - No pinning requirements. We just 302 to another domain at this point, though.
Fennec <=26.0 Bug 302721