The different root certificates are used for different purposes as described below. If you are not sure which one you need, you can import all of them or contact our Center of Excellence.
These documents will only be available to shell internal staff. For others pls contact GXITSOSOMETISGPKI-CMS-EKMSServiceManagement@shell.com
Certificate Policy (last update 08/2023)
Shell's Internal Type 1 Certificate Policy |
|
Shell's Internal Type 2 Certificate Policy |
Certificate Practice Statement (last update 08/2023)
Shell's Internal Type 1 Certification Practice Statement |
|
Shell's Internal Type 2 Certification Practice Statement |
The following certificate authorities are operated
according to the practices described in the above CPS.
Distinguished Names are represented using the
algorithm recommended in RFC 4514.
The Shell Private Type 1 Root CA provides a SHA2
compatible Public Key Infrastructure, whereas the Shell Private Type 2 Root CA provides a SHA1 Legacy compatible PKI.
Root CA's
Distinguished Name |
SHA-256 Hash of Subject Public Key Information (Thumbprint) |
Valid till |
Self-Signed Certificate |
CN=Shell |
ccf95dc68af9cf28105254e30c9a653ecff541b8 |
June 5, 2038 |
|
CN=Shell |
79376c0bfa31d323def5b0edad1675ab3e2bf2c0 |
June 5, 2038 |
Distinguished Name |
SHA-256 Hash of Subject Public Key Information (Previous CA hash) |
SHA-256 Hash of Subject Public Key Information (Thumbprint) |
Valid till |
Trust Anchor Info. |
Shell Private Type 1 AM Primary Issuing CA |
f8b3758ffe162bae31ba5c45ef9f192d5ce3c3e0 |
de1e2ae67321e40376c8abdcf06f3b1a39a9d74e |
March 8, 2028 |
|
Shell Private Type 1 AM Secondary Issuing CA |
65e4e08abf653ae234cb39f786a44a2dccacbf68 |
67873c0563f1f64b1ae6ef8a3c4d2ffebc3e4282 |
March 8, 2028 |
|
Shell Private Type 1 AM Issuing CA 3 |
eebf02ba54a86307f55fad6c55b4353bbd7255ef |
794dc0484af9fc5c0e1ab6d64bf555957a896e63 |
March 8, 2028 |
|
Shell Private Type 1 AP Primary Issuing CA |
c8ce027afdcedfeb38604feabcb8d44d542339ad |
d54ff0a9a003a7c5dcb92211792e148aa8881fc2 |
March 8, 2028 |
|
Shell Private Type 1 AP Secondary Issuing CA |
acb47a2ff54683d8123513bdae302663944404c7 |
b49c9ccc351ab7eafc2e0efb953b0579dea252c0 |
March 8, 2028 |
|
Shell Private Type 1 AP Issuing CA 3 |
08ed4a49aa9330e03a81786abd5eb79434365101 |
b99e9d5f2a41660ec0335ed29683b5e7e70f29d6 |
March 8, 2028 |
|
Shell Private Type 1 EU Primary Issuing CA |
c315301bffe4a4dd03e2c79698790695af5f49fb |
81cb6b79832bcdf53ad91bf71b256bebc24c7141 |
March 8, 2028 |
|
Shell Private Type 1 EU Secondary Issuing CA |
969cf8aff6322813e64b64782b955b7fd49152eb |
d70182ba5b30bf6622caa84806e674afba0ae7ca |
March 8, 2028 |
|
Shell Private Type 1 EU Issuing CA 3 |
1bd8634bb811836d7707814116cebde45b60f5c7 |
8402c47a1d58280bec241a66e1c0eebe16bcba27 |
March 8, 2028 |
|
Shell Private Type 1 EU FAAS Issuing CA |
1a3f66aa9b590e4cc8f134eaa1102c9848a270cf |
964da0c426eee141601e4f7d4cc0fd8bb321a846 |
March 8, 2028 |
|
Shell Private Type 2 AM Primary Issuing CA |
701826397c8b86724372caef0f119c6a6c7e27c1 |
7df2a9b3b4a1dd16e74a794459d0b85f60ddae84 |
March 8, 2028 |
|
Shell Private Type 2 AP Primary Issuing CA |
6ddc20a6f9b95aecdbad17db1d64071715f5e037 |
883a288c29d13e8ab9beaabeca9eaf927b951e41 |
March 8, 2028 |
|
Shell Private Type 2 EU Primary Issuing CA |
65c2cfe7de98c2162ebf998c2befea48b4c523d4 |
50bcb640491b3323c466702ca64313a86debf1e7 |
March 8, 2028 |
If you prefer to download all the Shell Private Internal PKI CA’s, then please access the file below:
Currently no active Cross Signing certs with the CA listed above as Subject.
Externally Operated Subordinate CAs
The Subordinate IOT
Distinguished Name |
SHA-256 Hash of Subject Public Key Information (Previous CA hash) |
Valid till |
SHA-256 Hash of Subject Public Key Information (Thumbprint) |
Shell Private Type 1 IOT CA |
C7A6C5A34E0C5CC04F589D3A1C37D55EF8B6A302 |
August 24, 2025 |
F902D38F5E19A8AA2F1F97F951EC61A8307248CD |
Problem
Reporting
Reports of problems with certificates
issued by Shell Internal PKI may be submitted by emailing. All reports need to include sufficient detail to identify the specific
certificates in question and the problem being reported.
Revocation Requests
Subscribers may request
revocation of their own certificates by completing All reports need to include
sufficient detail to identify
the specific certificates to be revoked.
Certificate Management Services - Service Portal (shell.com)