A collection of CA certificates NOT contained in the normal set of Mozilla bundles that may still be used for traffic on your network. These are mostly IoT devices, callbacks from proprietary software, and the like that have no buisness interacting with a browser.

This was mostly spawned by Zeek traffic analysis and this post describing how to add additional certificates to the trust store for Zeek verification. I don't particularly trust Microsoft/Nest/Roku/etc but I did want to stop flagging all their traffic as anomalous and get on with looking at more interesting things.

This repo includes certificates for:

Props to Apple for making their certificates available here. I do not include the majority of their CA certificates, only the ones that are visible on the wire and are not otherwise trusted by Zeek.

Microsoft also gets props for making the certificates for their services (telemetry, Windows Update, etc) available with no fuss here.

From what I can tell Nest uses a single CA certificate that isn't included in their chain. You can scrape the Authority Key Identifier from an exchange, though, then look that certificate up using Censys and download it.

Nintendo uses a couple CA certificates, but doesn't include anym of them in the chain. The method above for NEst would probably work, but someone seems to have made them all available here already.

Roku uses multiple private CAs, but includes a full certificate chain including the self-signed CA certificate with each exchange. You can grab their certificates pretty easily by using the openssl utility:

openssl s_client -host configsvc.cs.roku.com -port 443 -showcerts < /dev/null
openssl s_client -host liberty.logs.roku.com -port 443 -showcerts < /dev/null

That will dump the entire chain, but you really only need the last one in each exchange which is included in PEM format.