How Windows Updates Root Certificates
This explains how different versions of Windows will update root certificates by increasingly sophisticated mechanisms.
February 21, 2014 - The
Windows PKI Blog has a good description of Microsoft's Certificate Reputation as implemented in IE11.
November 12, 2013 - The
Windows PKI Blog mentions the Program’s SHA1 Deprecation Policy, listed below in the Section “Algorithm Policies” under the new Program Technical Requirements.
Security Research and Defense (SRD) Blog now describes the SHA1 Deprecation Policy.
Microsoft Security Advisory 2880823
also gives a bit more detail.
Windows Root Certificate Program
This is the main page for the Windows Root Certificate Program. It explains how to qualify and apply for membership in the Program.
The information on the Main Page regarding technical requirements is superseded by the technical requirements available from the next link.
Program Technical Requirements
This page lists the current Technical Requirements for the Program.
November 11, 2013 - Technical Requirements version 2.0 published.
November 12, 2013 - The SHA1 Deprecation Policy is listed in the Technical Requirements under the Section "Algorithm Policies."
Windows Root CA Members
This page contains documentation on recent root updates, and a link to the comprehensive Program Members CA List.
November 12, 2013 - The
November 2013 Root Update is released.
NEW September 29, 2014 - The
September 2014 Root Certificates Update has been updated and the member list is available as a PDF document.
EV Code Signing Certificates
This page contains information on the availability of EV Code Signing certificates and an invitation to Program Members to sign up to issue EV code signing certs.
With the end of support for Windows XP, root certificiates updates will not be made available as an update package through Windows Software Update Services (WSUS). Microsoft provides an alternative method for enterprise customers to update root certificates
in disconnected environments. Please see
KB2813430 for details.
Nov 11, 2013 - First Published in November 2014 on the Program Technical Requirements Page
NEW September 12, 2014 - Moved to its own Audits page
A Note on amending these wiki pages
Please don’t amend these pages. I realize that the Spirit of the Wiki ™ is for everyone and everyone to modify wiki content at will. I ask that you do not do so – this wiki is a simple and direct method for me to post information about the Windows Root Certificate
Program, and most of the content constitutes static Program requirements which does not allow for public editing. Your edits may wipe out the existing content, and can render it temporarily inaccessible to other readers.
So please, do not amend the Program wiki pages, just to ask us a question or to seek clarification of something posted - email us at
firstname.lastname@example.org. We're all in this thing together.
Kelvin Yiu, Program Manager
Microsoft Root Certificate Program