Short URL

Bookmark this page as: http://aka.ms/rootupdates

 


November 2016 - Deployment Notice (16/Nov.)

19 changes

On Wednesday, November 16, 2016, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. This release will add 2 new roots for SHECA (UCA Extended Validation Root) and (UCA Global G2).

This release will disallow the following 5 roots at our partners’ request:

  1. AS Sertifitseerimiskeskus;
  2. Actalis Authentication CA G1;
  3. Secretaria de Economia Mexico;
  4. WoSign 1999 and
  5. Signet Root CA.

Windows 10 allows us to stop trusting these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change. This release will modify 3 roots that will add or remove EKUs at our partners’ request. The roots to be modified are ANCERT Certificados CGN V2, ANCERT Certificados Notariales V2, Cisco Root CA 2048.

Finally, 9 roots will be removed that were disabled during September release and do not have code sign or time stamp EKUs. The roots that will be removed are

  1. JCAN Root CA1,
  2. E-GUVEN Kok Elektronik Sertifika Hizmet Saglayicisi S2,
  3. E-GUVEN Kok Elektronik Sertifika Hizmet Saglayicisi S3,
  4. Buypass Class 3 CA 1,
  5. Trustis EVS Root CA,
  6. Autoridad Certificadora Raiz de la Secretaria de Economia,
  7. D-TRUST GmbH,
  8. D-TRUST GmbH 1 and
  9. UTN-USERFirst-Network Applications.

Microsoft will release these changes such that Windows 10 devices running the upcoming update will stop accepting the removed EKUs, but, in the event the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs. The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

 


September 2016 - Deployment Notice (29/Sep)

On September 29, 2016, Microsoft released its planned quarterly-update to the Microsoft Trusted Root Program that included adding 14 new roots, and modifying capabilities for 29 other roots. The most-current list of roots can be found at http://aka.ms/trustcertpartners.

 


April 2016 - Deployment Notice (26/Apr)

On Tuesday, April 26, 2016, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. This release will add new roots for Digicert (Hotspot 2.0 Trust Root CA – 03); Certigna (Certigna Root CA); Trustcor (TrustCor RootCert CA-2, TrustCor ECA-1).

This release will remove the following roots at our partners’ request: CA Disig a.s.; CCA India 2011; TrustCor RootCert CA-1; TrustCor RootCert CA-2 (the root above replaces this one). Unlike past releases, however, Microsoft is implementing new functionality in Windows 10 that allows us to remove these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change.  

Finally, this release will modify several roots to remove EKUs at our partners’ request. The roots to be modified are VeriSign Class 3 Public Primary CA, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı. Microsoft will release these changes such that Windows 10 devices running the upcoming summer update will stop accepting the removed EKUs, but, in the event that the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs. The update package is available for download and testing at

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab  

 


January 2016 - Deployment Notice (28/jan)

On January 28, 2016, Microsoft’s Trusted Root Certificate Program released an unscheduled update to the Trusted Root Store to restore additional EKUs on the VeriSign Class 3 Public Primary CA root. This update does not contain any other changes.

For the most-current list of Program participants and enrolled roots, please see http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx

 


January 2016 - Deployment Notice (25/jan)

On January 25, 2016, Microsoft’s Trusted Root Certificate Program released an unscheduled update to the Trusted Root Store to restore EKUs on the VeriSign Class 3 Public Primary CA root and to add the Symantec Enterprise Mobile Root for Microsoft. This update does not contain any other changes.

Please note: As part of this release, Microsoft also updated the Untrusted CTL time stamp and sequence number. No changes were made to the contents of the Untrusted CTL but this will cause your system to download/refresh the Untrusted CTL. This is a normal update that is sometimes done when the Trusted Root CTL is updated.

For the most-current list of Program participants and enrolled roots, please see http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx

 


January 2016 - Deployment Notice (20/jan)

On January 20, 2016, Microsoft's Trusted Root Certificate Program released a scheduled update to the Trusted Root Store. This update includes adding new partner roots, updating existing roots, and removing certain roots.

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants.

 


January 2016  - Deployment Notice - Participants Subject to Removal (19/jan)

The next update of the Microsoft Trusted Root Program is scheduled for January 19, 2016. The focus of this release is to remove roots are out of compliance with the Program rules. The roots below are currently subject to removal. Customers that rely on certificates issued by the companies below are encouraged to contact the company to determine how the removal will impact their business.

CA Subject to Removal Reason for Removal Root Subject to Removal
DanID Audit DanID
e-Tugra Audit EBG Elektronik Sertifika Hizmet Saglayicisi
e-Tugra Audit E-Tugra Certification Authority
Wells Fargo Audit WellsSecure Public Certificate Authority
Wells Fargo Audit WellsSecure Public Root Certification Authority 01 G2
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA1
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA2
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA3
E-Certchile Contract Compliance E-Certchile Root CA
Nova Ljubljanska Contract Compliance NLB Nova Ljubljanska Banka d.d. Ljubljana
Post.Trust Contract Compliance Post.Trust Root CA
Serasa Contract Compliance Serasa Certificate Authority I
Serasa Contract Compliance Serasa Certificate Authority II
Serasa Contract Compliance Serasa Certificate Authority III

 


November 2015 - Deployment Notice

On November 23, 2015, Microsoft's Trusted Root Certificate Program released a scheduled update to the Trusted Root Store. This update includes adding new partner roots, updating existing roots, and removing certain roots at our partners' request.

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants


September 2015 - Deployment Notice

On September 1, 2015, Microsoft’s Trusted Root Certificate Program will release an unscheduled update to the Trusted Root Store to update the expiration of the A-Trust-NQual-03 root. This update does not contain any other changes.

To download the new root package for testing, please visit http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test

For the most-current list of Program participants and enrolled roots, please see http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx

 


August 2015 - Deployment Notice

On August 18, 2015, Microsoft’s Trusted Root Certificate Program will release a scheduled update to the Trusted Root Store. This update will include the addition of EKUs to roots owned by two current partners of Microsoft’s Trusted Root Certificate Program: Guang Dong Certificate Authority, based out of China, and Government of India, CCA.

Microsoft will be enabling Guang Dong’s root, GDCA TrustAUTH R5 ROOT, for EV (Extended Validation); Microsoft will be enabling the Government of India, CCA’s root, CCA India 2015, for Server Authentication and Code Signing. To download the new root package for testing, please visit http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants