Version 2.0, effective July 23, 2015.
Compare with v1.
Bookmark this page as: http://aka.ms/RootCert
↑ Back to top
The Microsoft Root Certificate Program supports the distribution of root certificates, enabling customers to trust Windows products. This page describes the Program’s general and technical requirements, including information about how a Certificate Authority
(CA) can contact Microsoft to request inclusion into the program.
All CAs in the Program must comply with the Program Technical Requirements. If Microsoft determines that a CA is not in compliance with the below requirements, Microsoft will exclude that CA from the Program.
All Uses Except for Code Signing and Time Stamping
Code Signing and Time Stamping Use
SHA1 may submit until January 1, 2016
SHA2 (SHA256, SHA384, SHA512)
4096 (New roots only)
ECC / ECDSA
NIST P-256, P-384, P-521
Windows 10 has heightened requirements to validate those kernel-mode drivers, which are appropriately signed by Microsoft and a Program partner. Partners who wish to become authorized for this program must complete the steps below.
Though not required by Microsoft, the following represents what Microsoft believes to be the best practices that each CA should follow.
In the event of a Security Incident, Microsoft may at its sole discretion, do any of the following:
In the event that Microsoft exercises any of the rights described above, Microsoft will:
In the event of a Security Incident, the CA must: