How Windows Updates Root Certificates

This explains how different versions of Windows will update root certificates by increasingly sophisticated mechanisms.


February 21, 2014 - The Windows PKI Blog has a good description of Microsoft's Certificate Reputation as implemented in IE11.

November 12, 2013 - The Windows PKI Blog mentions the Program’s SHA1 Deprecation Policy, listed below in the Section “Algorithm Policies” under the new Program Technical Requirements.

The Security Research and Defense (SRD) Blog now describes the SHA1 Deprecation Policy.  Microsoft Security Advisory 2880823 also gives a bit more detail.

Main Page

Windows Root Certificate Program

This is the main page for the Windows Root Certificate Program. It explains how to qualify and apply for membership in the Program.

The information on the Main Page regarding technical requirements is superseded by the technical requirements available from the next link.

Program Technical Requirements

This page lists the current Technical Requirements for the Program.

November 11, 2013 - Technical Requirements version 2.0 published.

November 12, 2013 - The SHA1 Deprecation Policy is listed in the Technical Requirements under the Section "Algorithm Policies."

Windows Root CA Members

This page contains documentation on recent root updates, and a link to the comprehensive Program Members CA List.

November 12, 2013 - The November 2013 Root Update is released.

NEW September 29, 2014 - The September 2014 Root Certificates Update has been updated and the member list is available as a PDF document.

EV Code Signing Certificates

This page contains information on the availability of EV Code Signing certificates and an invitation to Program Members to sign up to issue EV code signing certs.

WSUS Availability

With the end of support for Windows XP, root certificiates updates will not be made available as an update package through Windows Software Update Services (WSUS). Microsoft provides an alternative method for enterprise customers to update root certificates in disconnected environments. Please see KB2813430 for details.

Audit Requirements

Nov 11, 2013 - First Published in November 2014 on the Program Technical Requirements Page

NEW September 12, 2014 - Moved to its own Audits page


A Note on amending these wiki pages

Please don’t amend these pages. I realize that the Spirit of the Wiki ™ is for everyone and everyone to modify wiki content at will. I ask that you do not do so – this wiki is a simple and direct method for me to post information about the Windows Root Certificate Program, and most of the content constitutes static Program requirements which does not allow for public editing. Your edits may wipe out the existing content, and can render it temporarily inaccessible to other readers.

So please, do not amend the Program wiki pages, just to ask us a question or to seek clarification of something posted - email us at casubmit@microsoft.com. We're all in this thing together.


Best Regards,


Kelvin Yiu, Program Manager

Microsoft Root Certificate Program