Short URL

Bookmark this page as: http://aka.ms/rootupdates

April 2016 - Deployment Notice (26/Apr)

On Tuesday, April 26, 2016, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.   This release will add new roots for Digicert (Hotspot 2.0 Trust Root CA – 03); Certigna (Certigna Root CA); Trustcor (TrustCor RootCert CA-2, TrustCor ECA-1).  

This release will remove the following roots at our partners’ request: CA Disig a.s.; CCA India 2011; TrustCor RootCert CA-1; TrustCor RootCert CA-2 (the root above replaces this one). Unlike past releases, however, Microsoft is implementing new functionality in Windows 10 that allows us to remove these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change.  

Finally, this release will modify several roots to remove EKUs at our partners’ request. The roots to be modified are VeriSign Class 3 Public Primary CA, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı. Microsoft will release these changes such that Windows 10 devices running the upcoming summer update will stop accepting the removed EKUs, but, in the event that the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs.   The update package is available for download and testing at

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab  


January 2016 - Deployment Notice (28/jan)

On January 28, 2016, Microsoft’s Trusted Root Certificate Program released an unscheduled update to the Trusted Root Store to restore additional EKUs on the VeriSign Class 3 Public Primary CA root. This update does not contain any other changes.

For the most-current list of Program participants and enrolled roots, please see http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx

 


January 2016 - Deployment Notice (25/jan)

On January 25, 2016, Microsoft’s Trusted Root Certificate Program released an unscheduled update to the Trusted Root Store to restore EKUs on the VeriSign Class 3 Public Primary CA root and to add the Symantec Enterprise Mobile Root for Microsoft. This update does not contain any other changes.

Please note: As part of this release, Microsoft also updated the Untrusted CTL time stamp and sequence number. No changes were made to the contents of the Untrusted CTL but this will cause your system to download/refresh the Untrusted CTL. This is a normal update that is sometimes done when the Trusted Root CTL is updated.

For the most-current list of Program participants and enrolled roots, please see http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx

 


January 2016 - Deployment Notice (20/jan)

On January 20, 2016, Microsoft's Trusted Root Certificate Program released a scheduled update to the Trusted Root Store. This update includes adding new partner roots, updating existing roots, and removing certain roots.

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants.

 


January 2016  - Deployment Notice - Participants Subject to Removal (19/jan)

The next update of the Microsoft Trusted Root Program is scheduled for January 19, 2016. The focus of this release is to remove roots are out of compliance with the Program rules. The roots below are currently subject to removal. Customers that rely on certificates issued by the companies below are encouraged to contact the company to determine how the removal will impact their business.

CA Subject to Removal Reason for Removal Root Subject to Removal
DanID Audit DanID
e-Tugra Audit EBG Elektronik Sertifika Hizmet Saglayicisi
e-Tugra Audit E-Tugra Certification Authority
Wells Fargo Audit WellsSecure Public Certificate Authority
Wells Fargo Audit WellsSecure Public Root Certification Authority 01 G2
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA1
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA2
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA3
E-Certchile Contract Compliance E-Certchile Root CA
Nova Ljubljanska Contract Compliance NLB Nova Ljubljanska Banka d.d. Ljubljana
Post.Trust Contract Compliance Post.Trust Root CA
Serasa Contract Compliance Serasa Certificate Authority I
Serasa Contract Compliance Serasa Certificate Authority II
Serasa Contract Compliance Serasa Certificate Authority III

 


November 2015 - Deployment Notice

On November 23, 2015, Microsoft's Trusted Root Certificate Program released a scheduled update to the Trusted Root Store. This update includes adding new partner roots, updating existing roots, and removing certain roots at our partners' request.

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants

 


September 2015 - Deployment Notice

On September 1, 2015, Microsoft’s Trusted Root Certificate Program will release an unscheduled update to the Trusted Root Store to update the expiration of the A-Trust-NQual-03 root. This update does not contain any other changes.

To download the new root package for testing, please visit http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test

For the most-current list of Program participants and enrolled roots, please see http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx

 


August 2015 - Deployment Notice

On August 18, 2015, Microsoft’s Trusted Root Certificate Program will release a scheduled update to the Trusted Root Store. This update will include the addition of EKUs to roots owned by two current partners of Microsoft’s Trusted Root Certificate Program: Guang Dong Certificate Authority, based out of China, and Government of India, CCA.

Microsoft will be enabling Guang Dong’s root, GDCA TrustAUTH R5 ROOT, for EV (Extended Validation); Microsoft will be enabling the Government of India, CCA’s root, CCA India 2015, for Server Authentication and Code Signing. To download the new root package for testing, please visit http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants