December 2012 - this page will no longer be maintained. See the
new member page
for updated information on CAs who are members of the Windows Root Certificate Program.
Updated October 25, 2011 I am in the process of updating the list of all CAs that are members of the Windows Root Certificate Program. Please bear with me - what once was committed to this page is now fairly difficult to edit without doing
all sorts of damage to the html code, so to avoid that for the moment I'm simply making one simple amendment to the Members List (All CAs): by
Microsoft Security Advisory 2607712, in September Microsoft removed the root certificates for CA DigiNotar from distribution in our program. The line for DigiNotar in the list below is still there, but the text has been lined out (DigiNotar),
but not without some violence to the table formatting.
I'll fix that formatting fairly soon. In fact I am posting the member's list in another format to the Microsoft Download Center, where it won't experience the pitfalls of narrow displays and truncated data imposed by the wiki; it will be available in all its
.XLS spreadsheet glory. With apologies to wiki ninjas everywhere who worked hard to make this work for me, it won't - I will post an announcement here when that post to an alternate site is complete. The remainder of the information will remain here on the
wiki, with more to come soon.
Updated March 24, 2011 The final column of this table now appears thanks to wiki ninja Eric Battalio. Its still a bit cut off on the right side, but the data appears okay. TIP: Use the scroll bar that appears along the *bottom* of the table to view the
columns that don't appear within normal margins on the right.
Example of scroll bar that appears at the bottom of the table
Return to Root CA Members Page
Back by popular demand – here is the comprehensive list of all CAs whose root certificates are distributed via the Windows Root Certificate Program. Thank you for your patience while I compiled the information and prepared it for wiki publication. Based
upon your emails, this is a frequently requested resource for many Windows users, and going forward I will try to make this information as accessible as possible to you. That may include making the list available in the .PDF format from the major Knowledge
Base article reference for this Program,
KB931125 Windows Root Certificate Program Members.
You’ll notice that the list of members is long, and long posts can be frowned upon in the wiki world; also the list may be easier to use in a Microsoft Word, Microsoft Excel, or Adobe PDF format, which are not supported on this wiki. Let’s not let perfection
be the enemy of the good – I want this information out where you can use it. So I'm posting this now, and will work to improve it in the very near future: and if I can't make it accessible enough via the wiki, I will revert to publishing this via other means,
and post a link to it here.
Some tips and plans for future list enhancements:
Tom Albertson, Program Manager
Windows Root Certificate Program
WINDOWS ROOT CERTIFICATE PROGRAM – CURRENT THROUGH MARCH, 2011
Do you see an error in any of the information above? Contact me
here, and I will investigate and correct it. I cannot guarantee total accuracy of this data, but I will commit to correcting errors when they are pointed out to me.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
EXPLANATION OF TERMS
CA Name indicates the CA who currently operates the CA Root Name with the unique Thumbprint and CA Root expiration date indicated. Over time CA root certificates have changed hands, and this resource attempts to identify the current CA owner.
Each Current CA owner should contain a hyperlink to the CA's website, where you can obtain additional information about their root certificates and their certificate policies.
Country is the main country from which the CA operates.
CA Root Name is the common name applied to the root certificate, which may or may not also indicate the name of the CA.
CA Root Size is the modulus of the RSA algorithm - typically 1024-bit, 2048-bit, or 4096-bit RSA. In the future you may see reference to other algorithms such as ECC or ECDSA.
Signature Hash indicates the hash algorithm chosen by the CA for this root certificate - MD2, MD5, SHA1, or SHA2 (SHA256 etc). The hash algorithm used to issue end-use certificates may not be the same as the hash algorithm used for the root
certificate: as of January 15, 2009 for example, to Microsoft's knowledge no CA issues MD5 end-use certificates from any MD5 root certificate distributed by the Windows Root Certificate Program. However, root certificates using the MD5 algorithm may still
be distributed by the Program, to allow for certificate chain building for previously signed code and certain SSL-protected websites.
CA Root Expires is the expiration date of the root certificate, after which the CA cannot issue any more end-use certificates from it. Root certificates are typically kept in distribution after expiration by the Program until the last of
these end-use certificates expires.
Thumbprint is the hash value which uniquely identifies the root certificate in question. It can be confirmed in the actual root certificate by examining the certificate properties (Details), under the Thumbprint field.
NEW Each thumbprint contains a hyperlink to the Windows Update website, where you can access the actual root certificate, download and examine its certificate properties.