Overview Users Self-signed Admins Cross-signed OpenSSL  Home
In 1994, Netscape started with certificates for SSL. In 1996, VeriSign was one of the first companies to sell those. Thawte started as a competition. To maximize its market power, VeriSign bought Thawte and GeoTrust. GeoTrust owns the trust anchor Equifax and the brand RapidSSL. The asset of that business were three trust anchors (see below, third column). The price difference came from the fact that not every SSL client had included Equifax, that not everyone had included Thawte. Consequently, their anchor [VeriSign] Class 3 Public Primary Certification Authority promised broadest interoperability. Even in the year 2017, some embedded devices knew just VeriSign as trust anchor. Later, Symantec bought the certificate business out of VeriSign. Over the time, the business moved to 2048 bit, SHA-2, and ECC creating new trust anchors. Only within the VeriSign brand those got cross-signed to the anchor from day one.

  Subject Name  → Legacy Root
(2048 bit)  GeoTrust Global  → Equifax Secure 
(2048 bit)  GeoTrust Primary  → Equifax Secure 
(2048 bit)  Thawte Primary  → Thawte Premium 
(SHA-2)  GeoTrust G3 
(SHA-2)  Thawte G3 
(SHA-2)  VeriSign Universal  VeriSign Class 3 G5  Class 3 G3  → Class 3 
(ECC)  VeriSign Class G4  VeriSign Class 3 G5  Class 3 G3  → Class 3 

In 2018, Google Chrome 70 and Mozilla Firefox 64 removed all anchors from Synamtec. Consequently, the trust anchors above got historic status. Customers re-issued their certificates for free via the new owner DigiCert. By this, the certificate got public via the Webpage crt.sh and the path changed to CyberTrust.
 SHA-1 Regional SHA-256 Regional ECDSA  Symantec @