Version

v26.3.0

Platform

Linux 6.6.137-0-virt #1-Alpine SMP PREEMPT_DYNAMIC 2026-04-30 12:31:36 aarch64 Linux

Subsystem

crypto

What steps will reproduce the bug?

After Node 26.3 upgrade, it seems that some root certificates has been discarded from embedded node runtime. For instance, I've found out that "GTS Root R2" is not present anymore whereas it's a still valid upstream (in Mozilla NSS project).

Using tls.rootCertificates we can extract default SSL certificate embedded inside Node binary (injected from src/node_root_certs.h source code)

const tls = require('tls');
const crypto = require("crypto");

tls.rootCertificates.forEach(function(value){
    console.log("--------------------");
    const cert = new crypto.X509Certificate(value);
    console.log(`Issuer: ${cert.issuer.split('\n').reverse().join(', ')}`);
    console.log(`SHA256: ${cert.fingerprint256}`);
    console.log("--------------------");
});

How often does it reproduce? Is there a required condition?

This issue is independent from any condition / configuration

What is the expected behavior? Why is that the expected behavior?

Like in previous node release, I should see information about GTS Root R2 certificate like this :

• Issuer: CN=GTS Root R2, O=Google Trust Services LLC, C=US
• SHA256: 8D:25:CD:97:22:9D:BF:70:35:6B:DA:4E:B3:CC:73:40:31:E2:4C:F0:0F:AF:CF:D3:2D:C7:6E:B5:84:1C:7E:A8

Furthermore, the source code of upstream NSS certdata.txt still contains "Google GTS R2" certificate

What do you see instead?

A few root certificates are missing from tls.rootCertificates especially "Google GTS R2"

Additional information

• Upstream NSS 3.123.1 certdata.txt contains "GTS Root R2" certificate
• I've found our that this change in TLS certs have been integrated in crypto: update root-certificates to 3.123.1 #63527 PR