(Posting in a personal capacity as I am no longer employed by Trustwave)
Mozilla Root Store Policy section 5.1 (
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/) prohibits the use of P-521 keys in root certificates included in the Mozilla trust store, as well as in any certificates chaining to these roots. This prohibition was made very clear in the discussion on this list in 2017 at
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/7O34-DmZeC8/fsKobHABAwAJ.
Below is a list of unexpired, unrevoked certificates which contain P-521 public keys (grouped by CA Owner and ordered by notBefore):
Sectigo
crt.sh URL, notBefore, notAfter, issuer CN
------------------------------------------
https://crt.sh/?id=6371802, 2015-01-23, 2020-01-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=13764502, 2015-10-17, 2019-01-16, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308269873, 2016-10-22, 2019-10-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=307896586, 2017-01-23, 2019-01-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308306899, 2017-01-27, 2020-01-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308113189, 2017-03-22, 2020-03-06, InCommon ECC Server CA
https://crt.sh/?id=307650153, 2017-03-26, 2020-03-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=307656068, 2017-04-20, 2020-07-18, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=307534525, 2017-05-18, 2020-05-18, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=308201491, 2017-06-27, 2020-06-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=292253731, 2017-12-31, 2019-12-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=325088752, 2018-02-07, 2019-02-07, Gandi Standard SSL CA 2
https://crt.sh/?id=495848274, 2018-02-25, 2019-02-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=363803336, 2018-03-23, 2020-05-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=369709685, 2018-03-29, 2019-04-28, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=369824505, 2018-03-29, 2020-03-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=377999330, 2018-04-05, 2020-04-04, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=395687551, 2018-04-14, 2019-04-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=441476932, 2018-04-14, 2019-04-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=419677583, 2018-04-25, 2020-04-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=419685986, 2018-04-25, 2020-04-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=441178023, 2018-05-05, 2019-05-05, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=441178000, 2018-05-05, 2019-05-05, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=447475737, 2018-05-07, 2020-05-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=447484644, 2018-05-07, 2020-05-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=453793669, 2018-05-10, 2019-05-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=453793685, 2018-05-10, 2019-05-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=455176361, 2018-05-11, 2019-05-11, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=455176321, 2018-05-11, 2019-05-11, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=463185238, 2018-05-15, 2019-05-15, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=463092619, 2018-05-15, 2019-05-12, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=463092603, 2018-05-15, 2019-05-12, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=463185322, 2018-05-15, 2019-05-15, USERTrust ECC Domain Validation Secure Server CA
https://crt.sh/?id=499794005, 2018-06-01, 2020-02-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=498922190, 2018-06-01, 2019-06-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=499725167, 2018-06-01, 2020-02-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=498922249, 2018-06-01, 2019-06-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=505121345, 2018-06-04, 2020-06-03, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=505085090, 2018-06-04, 2020-06-03, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=513249599, 2018-06-08, 2019-09-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=513249610, 2018-06-08, 2019-09-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=524442289, 2018-06-13, 2020-06-12, InCommon RSA Server CA
https://crt.sh/?id=524489119, 2018-06-13, 2020-06-12, InCommon RSA Server CA
https://crt.sh/?id=526991990, 2018-06-14, 2020-06-13, InCommon RSA Server CA
https://crt.sh/?id=527107074, 2018-06-14, 2020-06-13, InCommon RSA Server CA
https://crt.sh/?id=539581571, 2018-06-20, 2020-03-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=539583525, 2018-06-20, 2020-03-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=542849108, 2018-06-24, 2020-06-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=542849110, 2018-06-24, 2020-06-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=543995312, 2018-06-25, 2019-06-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=543995179, 2018-06-25, 2019-06-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=591996350, 2018-07-11, 2019-07-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=591996006, 2018-07-11, 2019-07-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=596168840, 2018-07-12, 2019-07-12, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=596168871, 2018-07-12, 2019-07-12, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=597412454, 2018-07-14, 2019-07-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=597412673, 2018-07-14, 2019-07-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=606946421, 2018-07-20, 2020-07-19, InCommon RSA Server CA
https://crt.sh/?id=606946466, 2018-07-20, 2020-07-19, InCommon RSA Server CA
https://crt.sh/?id=615391317, 2018-07-22, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=615391414, 2018-07-22, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=617047567, 2018-07-23, 2019-07-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=608218571, 2018-07-23, 2020-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=608218537, 2018-07-23, 2020-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=617047089, 2018-07-23, 2019-07-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620400049, 2018-07-26, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620395555, 2018-07-26, 2019-07-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620395705, 2018-07-26, 2019-07-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620131184, 2018-07-26, 2019-12-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620131002, 2018-07-26, 2019-12-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=620399817, 2018-07-26, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629323969, 2018-08-01, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629132167, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=628399531, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629128772, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629128648, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629323768, 2018-08-01, 2019-07-22, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=629131924, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=628400266, 2018-08-01, 2019-08-01, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=637932875, 2018-08-08, 2020-08-07, InCommon RSA Server CA
https://crt.sh/?id=637932860, 2018-08-08, 2020-08-07, InCommon RSA Server CA
https://crt.sh/?id=638329218, 2018-08-09, 2020-08-08, InCommon RSA Server CA
https://crt.sh/?id=638345465, 2018-08-09, 2020-08-08, InCommon RSA Server CA
https://crt.sh/?id=638608733, 2018-08-10, 2020-08-09, InCommon ECC Server CA
https://crt.sh/?id=638608725, 2018-08-10, 2020-08-09, InCommon ECC Server CA
https://crt.sh/?id=647283822, 2018-08-13, 2020-01-12, TrustSign BR Certification Authority (DV) 2
https://crt.sh/?id=647283833, 2018-08-13, 2020-01-12, TrustSign BR Certification Authority (DV) 2
https://crt.sh/?id=648703027, 2018-08-14, 2019-07-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=648703097, 2018-08-14, 2019-07-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=649508017, 2018-08-16, 2020-09-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=649497464, 2018-08-16, 2020-09-14, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=651708845, 2018-08-17, 2020-10-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=650968319, 2018-08-17, 2019-08-17, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=651708880, 2018-08-17, 2020-10-06, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=650968313, 2018-08-17, 2019-08-17, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=655979498, 2018-08-20, 2019-08-20, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=655979734, 2018-08-20, 2019-08-20, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=702937626, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703704444, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703626516, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703570156, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703034958, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=703704688, 2018-09-01, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=715244655, 2018-09-04, 2020-09-03, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=715180338, 2018-09-04, 2020-09-03, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=718386742, 2018-09-05, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=718316167, 2018-09-05, 2020-08-31, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=721949738, 2018-09-06, 2020-09-05, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=721903071, 2018-09-06, 2020-09-05, COMODO ECC Organization Validation Secure Server CA
https://crt.sh/?id=732224783, 2018-09-10, 2020-09-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=732180667, 2018-09-10, 2020-09-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=742122634, 2018-09-13, 2020-09-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=742146772, 2018-09-13, 2020-09-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=743367517, 2018-09-13, 2020-09-12, InCommon RSA Server CA
https://crt.sh/?id=743250702, 2018-09-13, 2020-09-12, InCommon RSA Server CA
https://crt.sh/?id=760484279, 2018-09-17, 2020-09-16, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=760522493, 2018-09-17, 2020-09-16, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=841848220, 2018-10-09, 2019-10-09, DOMENY SSL DV Certification Authority
https://crt.sh/?id=841847447, 2018-10-09, 2019-10-09, DOMENY SSL DV Certification Authority
https://crt.sh/?id=849247022, 2018-10-11, 2020-10-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=849224923, 2018-10-11, 2020-10-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=879713746, 2018-10-21, 2020-11-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=879682087, 2018-10-21, 2020-11-27, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885247476, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885208207, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885248041, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=885208204, 2018-10-23, 2019-10-23, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=887807299, 2018-10-24, 2019-01-22, DOMENY SSL DV Certification Authority
https://crt.sh/?id=887807764, 2018-10-24, 2019-01-22, DOMENY SSL DV Certification Authority
https://crt.sh/?id=901267132, 2018-10-29, 2020-10-28, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=901267026, 2018-10-29, 2020-10-28, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=907036453, 2018-10-31, 2019-01-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=907036502, 2018-10-31, 2019-01-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=922822862, 2018-11-06, 2019-02-04, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=922823047, 2018-11-06, 2019-02-04, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=930339735, 2018-11-08, 2020-11-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=930339745, 2018-11-08, 2020-11-07, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=960746353, 2018-11-20, 2021-02-21, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=960649340, 2018-11-20, 2021-02-21, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=971777686, 2018-11-24, 2019-11-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=971777541, 2018-11-24, 2019-11-24, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=975933667, 2018-11-25, 2019-11-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=975933498, 2018-11-25, 2019-11-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1005886673, 2018-12-06, 2019-12-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1005886201, 2018-12-06, 2019-12-06, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1019943658, 2018-12-11, 2020-02-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1020803789, 2018-12-11, 2020-12-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1020801336, 2018-12-11, 2020-12-10, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1019943394, 2018-12-11, 2020-02-09, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1058872928, 2018-12-26, 2020-12-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1058872922, 2018-12-26, 2020-12-25, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1060875132, 2018-12-27, 2020-12-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1060875028, 2018-12-27, 2020-12-26, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067553416, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067553966, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067422853, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA
https://crt.sh/?id=1067422599, 2018-12-30, 2020-12-29, COMODO ECC Domain Validation Secure Server CA
DigiCert
crt.sh URL, notBefore, notAfter, issuer CN
------------------------------------------
https://crt.sh/?id=308100681, 2015-11-09, 2019-02-06, DigiCert ECC Secure Server CA
https://crt.sh/?id=307892387, 2016-07-14, 2019-07-19, DigiCert ECC Secure Server CA
https://crt.sh/?id=308355664, 2016-07-14, 2019-07-19, DigiCert ECC Secure Server CA
https://crt.sh/?id=308335383, 2016-08-11, 2019-11-09, DigiCert SHA2 Secure Server CA
https://crt.sh/?id=41935017, 2016-09-22, 2019-11-26, DigiCert ECC Secure Server CA
https://crt.sh/?id=307429360, 2016-10-13, 2020-01-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218572, 2016-10-28, 2019-11-06, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218573, 2016-10-28, 2019-11-06, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218570, 2016-10-28, 2019-11-06, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218373, 2017-01-11, 2019-04-11, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218343, 2017-01-11, 2019-03-20, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218342, 2017-01-11, 2019-03-20, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218451, 2017-01-11, 2020-04-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218372, 2017-01-11, 2019-04-11, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218340, 2017-01-11, 2019-03-20, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218453, 2017-01-11, 2020-04-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218371, 2017-01-11, 2019-04-11, DigiCert SHA2 Extended Validation Server CA
https://crt.sh/?id=104218449, 2017-01-11, 2020-04-10, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=79750010, 2017-01-23, 2020-04-22, DigiCert ECC Secure Server CA
https://crt.sh/?id=104218412, 2017-01-30, 2020-04-29, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218410, 2017-01-30, 2020-04-29, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=104218408, 2017-01-30, 2020-04-29, DigiCert SHA2 High Assurance Server CA
https://crt.sh/?id=82056937, 2017-01-30, 2019-02-04, TERENA SSL High Assurance CA 3
https://crt.sh/?id=146656935, 2017-05-31, 2019-06-05, DigiCert ECC Secure Server CA
https://crt.sh/?id=307593001, 2017-06-01, 2019-01-15, DigiCert SHA2 Secure Server CA
https://crt.sh/?id=308273560, 2017-06-27, 2020-07-01, DigiCert SHA2 Secure Server CA
Asseco Data Systems S.A. (previously Unizeto Certum)
crt.sh URL, notBefore, notAfter, issuer CN
------------------------------------------
https://crt.sh/?id=983011607, 2018-11-28, 2019-11-28, Certum Organization Validation CA SHA2
These certificates are not mis-issuances in terms of the Baseline Requirements (the BRs allow P-521), but Mozilla Root Store Policy does clearly prohibit P-521, so I wanted to alert the Mozilla community to these certificates.
Thanks,
Corey