Users of the public services portal of the Russian Federation (gosuslugi.ru) received a notification about the creation of a state certification authority with their root TLS certificate, which is not included in the storage of root certificates of operating systems and main browsers. Certificates are issued on a voluntary basis to legal entities and are intended to be used in situations where TLS certificates are revoked or terminated as a result of sanctions. For example, US-based CAs, such as DigiCert, have stopped issuing certificates for websites of organizations on the sanctions list.
Currently, the state root certificate is integrated only into Yandex.Browser and Atom products. To ensure that sites that use certificates from a public CA are trusted in other browsers, you must manually add the root certificate to the system or browser certificate store.
Among the sites that have already received state TLS certificates are various banks (Sberbank, VTB, Central Bank) and organizations and projects affiliated with government agencies. At the same time, at the time of writing, the main websites of Sber and VTB continue to use traditional TLS certificates supported in all browsers, but some subdomains (for example, online-alpha.vtb.ru) have already been transferred to the new certificate.
In the event that a new CA is imposed or abuses such as MITM attacks are discovered, it is likely that Firefox, Chrome, Edge, and Safari browser manufacturers will take action to add the problematic root certificate to the certificate revocation lists, as they already did with the certificate , implemented to intercept HTTPS traffic in Kazakhstan.
Source: opennet.ru