How Windows Updates Root Certificates
This explains how different versions of Windows will update root certificates by increasingly sophisticated mechanisms.
February 21, 2014 - The
Windows PKI Blog has a good description of Microsoft's Certificate Reputation as implemented in IE11.
November 12, 2013 - The
Windows PKI Blog mentions the Program’s SHA1 Deprecation Policy, listed below in the Section “Algorithm Policies” under the new Program Technical Requirements.
Security Research and Defense (SRD) Blog now describes the SHA1 Deprecation Policy.
Microsoft Security Advisory 2880823
also gives a bit more detail.
Windows Root Certificate Program
This is the main page for the Windows Root Certificate Program. It explains how to qualify and apply for membership in the Program.
The information on the Main Page regarding technical requirements is superseded by the technical requirements available from the next link.
Program Technical Requirements
This page lists the current Technical Requirements for the Program.
NEW November 11, 2013 - Technical Requirements version 2.0 published.
NEW November 12, 2013 - The SHA1 Deprecation Policy is listed in the Technical Requirements under the Section "Algorithm Policies."
Windows Root CA Members
This page contains documentation on recent root updates, and a link to the comprehensive Program Members CA List.
NEW November 12, 2013 - The
November Root Update is released.
Code Signing Certificates
This page contains information on the availability of EV Code Signing certificates and an invitation to Program Members to sign up to issue EV
code signing certs.
In December 2012 we provide full x86 and x64 availability of the KB931125 root update package via Windows Software Update Services (WSUS) for information technology administrators
to deploy the latest Microsoft product updates to computers that are running the Windows operating system. The WSUS root update is intended for client versions only.
Nov 11, 2013 - First Published in November 2014 on the Program Technical Requirements Page
September 12, 2014 - Moved to its own Audits page
A Note on amending these wiki pages
Please don’t amend these pages. I realize that the Spirit of the Wiki ™ is for everyone and everyone to modify wiki content at will. I ask that you do not do so – this wiki is a simple and direct method for me to post information about the Windows Root Certificate
Program, and most of the content constitutes static Program requirements which does not allow for public editing. Your edits may wipe out the existing content, and can render it temporarily inaccessible to other readers.
So please, do not amend the Program wiki pages, just to ask me a question or to seek clarification of something posted - email me at
We're all in this thing together.
Kelvin Yiu, Program Manager
Microsoft Root Certificate Program
You have to add a link to this site at technet.microsoft.com/.../cc751157.aspx
Right now, if you only watch the old "Microsoft Root Certificate Program" site, you never find the newer technical requirements posted here.