In response to sanctions, Russia has created its own trusted TLS certificate authority

Digital certificates are currently used by most websites. After deploying digital certificates, data can be encrypted between users and servers to avoid hijacking by a MITM attack. It is very easy to obtain a free digital certificate now. Mozilla provides free digital certificates and can be automatically verified and issued.

There are other mid-level certificate authorities that offer free digital certificates, but businesses and government agencies are more likely to use paid digital certificates. Recently, Russia cannot use the international financial system after being sanctioned, which makes it impossible for Russian government agencies and enterprises to renew their certificates after they expire.

Russian Trusted Root CA certificate
Source: BleepingComputer

In order to solve the problem that the certificate cannot be renewed after expiration, the Russian government department decided to establish its own trusted TLS certificate authority to issue new digital certificates.

It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue. The service is provided to legal entities – site owners upon request within 5 working days,” explains the Russian public services portal, Gosuslugi (translated).

The root certificate launched by Russia is called Russian Trusted Root CA, and it can be seen from the name that this is a root certificate rather than an intermediate certificate. The root certificate has a relatively high level of authority and can be used to issue intermediate certificates, and intermediate certificate authorities can issue digital certificates to end-users.

However, this root certificate is essentially a self-signed certificate, that is, it is not recognized by the CA Forum, and there is no other root certificate authority to help verify it. Therefore, all major browsers will not trust this certificate. If the enterprise really uses this certificate, it will cause the browser to directly block the access unless it is manually verified.

The way of manual verification is to download the root certificate and import it into the system trust zone. For most users without a computer machine, importing the certificate is troublesome.

Via: bleepingcomputer