Browse All TLS Extensions

certificate_authorities

TLS Extension Code: 47

Extension Details

Extension Name
certificate_authorities
Extension Code (Decimal)
47
Extension Code (Hex)
0x002F
RFC Reference
RFC 8446

What is certificate_authorities?

The Certificate Authorities extension allows clients to indicate which certificate authorities (CAs) they trust. This helps servers select an appropriate certificate chain when they have multiple chains available (e.g., certificates signed by different CAs). The extension contains Distinguished Names (DNs) of trusted CAs. This is particularly useful in enterprise environments where clients may only trust specific internal CAs. However, this extension is rarely used in practice due to size constraints (Distinguished Names are large) and the prevalence of publicly trusted CAs.

Role in JA3 Fingerprinting

How This Extension Affects Fingerprinting

The certificate_authorities extension is part of the TLS Client Hello packet that JA3 analyzes to create a unique fingerprint of your browser or HTTP client.

JA3 Construction: JA3 concatenates TLS parameters including extensions in a specific format:
TLS_VERSION,CIPHERS,EXTENSIONS,CURVES,POINT_FORMATS

Different browsers and HTTP clients support different sets of TLS extensions, making this a key differentiator in fingerprinting. The presence, absence, or order of extensions like certificate_authorities can reveal:

  • Browser type and version (Chrome, Firefox, Safari, Edge)
  • Operating system (Windows, macOS, Linux, Android, iOS)
  • HTTP library (curl, Python requests, Go http.Client, Node.js)
  • Bot detection - automated tools often have distinctive extension sets

Test Your TLS Configuration

See if your browser or HTTP client includes the certificate_authorities extension in its TLS handshake:

Test Your JA3 Fingerprint

The JA3 tool will show all TLS extensions your client advertises, including certificate_authorities.

Browser & Client Support

Modern Browser Support:

  • Chrome/Edge: Full support for certificate_authorities
  • Firefox: Full support for certificate_authorities
  • Safari: Full support for certificate_authorities

HTTP Client Libraries:

  • curl: Support varies by OpenSSL/LibreSSL version
  • Python requests: Limited TLS extension control
  • curl_cffi: Can mimic browser TLS configurations
  • Scrapfly API: Automatically matches real browser TLS fingerprints

Related TLS Resources

TLS Extensions
Testing Tools

Technical References