Short URL

Bookmark this page as: http://aka.ms/rootupdates

 

Back to top


Program Participants

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants (Bookmark as http://aka.ms/trustcertpartners.)

Back to top 


November 2018 – Deployment Notice (27/November)

On Tuesday, November 27th, 2018, Microsoft released a planned update to the Microsoft Trusted Root Certificate Program. There were no additional changes from the deployment notice from November 20, 2018. 

The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


November 2018 – Deployment Notice (20/November)

9 changes

On Tuesday, November 27th, 2018, Microsoft is planning an update to the Microsoft Trusted Root Certificate Program.  

This release will add the following roots (Root Certificate \ SHA-1 Thumbprint):  

  1. ZETES TSP ROOT CA 001 \ 3753D295FC6d8BC39B375650BFFC821AED504E1A 
  2. PostSignum Root QCA 4 \ AA40D2579BA82424CD27719B1D6B1F3571738099 
  3. Microsoft RSA Root Certificate Authority 2017 \ EE68C3E94AB5D55EB9395116424E25B0CADD9009 
  4. Microsoft ECC Root Certificate Authority 2017 \ 7CA9013D43721551E987380B3EAE4B442DC037EA 
  5. Microsoft EV ECC Root Certificate Authority 2017 \ B8095F5A89FB47A7017ED794DD4F611E27830E27 
  6. Microsoft EV RSA Root Certificate Authority 2017 \ 3AD38A39CE4E88DCDF46995E969FC339D0799858 
This release will add the EV OID for the following root: 
  1. I.CA Root CA/RSA \ 9B0959898154081BF6A90E9B9E58A4690C9BA104  
  2. Entrust Root Certification Authority - G4 \ 14884E862637B026AF59625C4077EC3529BA9601

This release will NotBefore the code signing EKU for the following roots: 

  1. EC-ACC \ 28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8 

If you are an end-certificate user who has active certificates chaining up to a deprecating root, please reach out to your CA. 

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


October 2018 – Deployment Notice (30/October)

13 changes

On Tuesday, October 30th, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will add the following root (Root Certificate \ SHA-1 Thumbprint):

  1. Microsoft ECC TS Root Certificate Authority 2018 \ 31F9FC8BA3805986B721EA7295C65B3A44534274

This release will NotBefore for the following roots:

  1. S‐TRUST Universal Root CA \ 1B3D1114EA7A0F9558544195BF6B2582AB40CE9A
  2. TC TrustCenter Class 3 CA II \ 8025EFF46E70C8D472246584FE403B8A8D6ADBF5
  3. USERTrust CA \ 0483ED3399AC3608058722EDBC5E4600E3BEF9D7

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


October 2018 – Deployment Notice (2/October)

13 changes

On Tuesday, October 2nd, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will add the following roots (Root Certificate \ SHA-1 Thumbprint):  

  1. Fina Root CA \ 6202BF169AF27FA67ED0CEC66B782B83226126E9
  2. Hongkong Post Root CA 2 \ DE010808E41EC41930D44095F8FE596B582C8CA2
  3. Hongkong Post Root CA 3 \ 58A2D0EC2052815BC1F3F86402244EC28E024B02

This release will modify the EV OID for the following root:

  1. Verisign \ 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

This release will NotBefore the code signing EKU for the following roots:

  1. Chambers of Commerce Root \ 6E3A55A4190C195C93843CC0DB722E313061F0B1
  2. Global Chambersign Root \ 339B6B1450249B557A01877284D9E02FC3D2D8E9
  3. Global Chambersign Root \ 4ABDEEEC950D359C89AEC752A12C5B29F6D6AA0C
  4. Network Solutions Certificate Authority \ 71899A67BF33AF31BEFDC071F8F733B183856332
  5. Network Solutions ECC Certificate Authority \ 80F95B741C38399495C34F20C23E7336314D3C6B
  6. Network Solutions RSA Certificate Authority \ 8E928C0FC27BB7ABA34E6BC0CA1250CB57B60F84

This release will NotBefore the server authentication EKU for the following roots:

  1. GeoTrust Universal CA \ E621F3354379059A4B68309D8A2F74221587EC79
  2. Symantec Class 3 Public Primary Certification Authority - G6 \ 26A16C235A2472229B23628025BC8097C88524A1
  3. Thawte Primary Root CA - G2 \ AADBBC22238FC401A127BB38DDF41DDB089EF012

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


August 2018 – Deployment Notice (28/August)

12 changes

On Tuesday, August 28th, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. 

This release will add the following roots (Root Certificate \ SHA-1 Thumbprint):

  1. Entrust Root Certification Authority - G4 \ 14884E862637B026AF59625C4077EC3529BA9601
  2. emSign Root CA - G1 \ 8AC7AD8F73AC4EC1B5754DA540F4FCCF7CB58E8C
  3. emSign Root CA - G2 \ 1E6577B9CF70D017CAE1BDA1351D4725A973C06D
  4. emSign ECC Root CA - G3 \ 3043FA4FF257DCA0C380EE2E58EA78B23FE6BBC1
  5. emSign Root CA - C1 \ E72EF1DFFCB20928CF5DD4D56737B151CB864F01
  6. emSign Root CA - C2 \ BCA2188074C3147E16F4C48C5910A89EF752F479
  7. emSign ECC Root CA - C3 \ B6AF43C29B81537DF6EF6BC31F1F60150CEE4866 

This release will NotBefore the server authentication EKU for the following roots:

  1. OpenTrust Root CA G1 \ 7991E834F7E2EEDD08950152E9552D14E958D57E
  2. OpenTrust Root CA G2 \ 795F8860C5AB7C3D92E6CBF48DE145CD11EF600B
  3. OpenTrust Root CA G3 \ 6E2664F356BF3455BFD1933F7C01DED813DA8AA6
  4. Certplus Root CA G1 \ 22FDD0B7FDA24E0DAC492CA0ACA67B6A1FE3F766
  5. Certplus Root CA G2 \ 4F658E1FE906D82802E9544741C954255D69CC1A

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


July 2018 – Deployment Notice (31/July)

8 changes

On Tuesday, July 31st, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will add the following root (Root Certificate \ SHA-1 Thumbprint):

  1. ISRG Root X1 \ CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8

This release will NotBefore the following roots:

  1. Correo Uruguayo - Root CA \ F9:DD:19:26:6B:20:43:F1:FE:4B:3D:CB:01:90:AF:F1:1F:31:A6:9D
  2. Comsign CA \ E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
  3. Comsign Secured CA \ F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
  4. CertPlus Class 3P Primary CA \ 21:6B:2A:29:E6:2A:00:CE:82:01:46:D8:24:41:41:B9:25:11:B2:79
  5. CertPlus Class 3 Primary CA \ D2:ED:F8:8B:41:B6:FE:01:46:1D:6E:28:34:EC:7C:8F:6C:77:72:1E
  6. CertPlus Class 3TS Primary CA \ F4:40:95:C2:38:AC:73:FC:4F:77:BF:8F:98:DF:70:F8:F0:91:BC:52
  7. Autorité Racine \ 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


June 2018 – Deployment Notice (26/June)

5 changes

On Tuesday, June 26th, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will add the following root (Root Certificate \ SHA-1 Thumbprint):

  1. Microsoft ECC Product Root Certificate Authority 2018 \ 06:F1:AA:33:0B:92:7B:75:3A:40:E6:8C:DF:22:E3:4B:CB:EF:33:52

This release will add EV capabilities to the following roots:

  1. Baltimore CyberTrust Root \ D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
  2. NetLock Arany (Class Gold) Főtanúsítvány \ 06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91

This release will NotBefore the following roots:

  1. Starfield Technologies, Inc. \ 5D:00:38:60:F0:02:ED:82:9D:EA:A4:18:68:F7:88:18:6D:62:12:7F
  2. Autoridad de Certificacion de la Abogacia \ 7F:8A:77:83:6B:DC:6D:06:8F:8B:07:37:FC:C5:72:54:13:06:8C:A4

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab Title: Jump

Back to top 


May 2018 – Deployment Notice (29/May)

1 change 

On Tuesday, May 29th, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. 

This release will add the following root (Root Certificate \ SHA-1 Thumbprint):

  1. Globaltrust 2015 \ 46:5B:26:BE:BE:71:06:DD:85:44:C1:13:9D:9F:A2:57:00:C1:D7:BD 

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab Title: Jump

Back to top 


April 2018 – Deployment Notice (27/Apr)

1 change 

On April 27, 2018, Microsoft’s Trusted Root Certificate Program released an unscheduled update to the Trusted Root Store to restore EKUs on the Digicert Cybertrust Global Root (5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6). This update does not contain any other changes.

Please note: As part of this release, Microsoft also updated the Untrusted CTL time stamp and sequence number. No changes were made to the contents of the Untrusted CTL but this will cause your system to download/refresh the Untrusted CTL. This is a normal update that is sometimes done when the Trusted Root CTL is updated.

 


April 2018 – Deployment Notice (25/Apr)

20 changes

On Wednesday, April 25th, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will “NotBefore” the following 2 roots (Root Certificate \ SHA-1 Thumbprint):

  1. UCA Global Root \ 0B:97:2C:9E:A6:E7:CC:58:D9:3B:20:BF:71:EC:41:2E:72:09:FA:BF
  2. UCA Root \ 82:50:BE:D5:A2:14:43:3A:66:37:7C:BC:10:EF:83:F6:69:DA:3A:67

This release will disable the following 15 roots: 

  1. CA DATEV STD 01 \ 15:03:32:A5:8D:C5:91:FC:42:D4:C8:73:FF:9F:1F:0F:81:D5:97:C9
  2. CA DATEV INT 01 \ 52:41:2B:D6:7B:5A:6C:69:52:82:38:60:26:F0:B0:53:DD:40:0E:FC
  3. CA DATEV BT 01 \ DA:8B:65:67:EF:3F:6E:1E:A2:6A:B1:46:E3:6C:CB:57:28:04:18:46
  4. Cybertrust Global Root \ 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6
  5. CA Disig \ 2A:C8:D5:8B:57:CE:BF:2F:49:AF:F2:FC:76:8F:51:14:62:90:7A:41
  6. EBG Elektronik Sertifika Hizmet Saglayicisi \ 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
  7. Staat der Nederlanden Root CA \ 10:1D:FA:3F:D5:0B:CB:BB:9B:B5:60:0C:19:55:A4:1A:F4:73:3A:04
  8. TÜBITAK Kamu SM \ 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96
  9. I.CA První certifikacní autorita a.s. 1 \ 64:90:2A:D7:27:7A:F3:E3:2C:D8:CC:1D:C7:9D:E1:FD:7F:80:69:EA
  10. I.CA První certifikacní autorita a.s. \ AB:16:DD:14:4E:CD:C0:FC:4B:AA:B6:2E:CF:04:08:89:6F:DE:52:B7
  11. IZENPE S.A. \ 4A:3F:8D:6B:DC:0E:1E:CF:CD:72:E3:77:DE:F2:D7:FF:92:C1:9B:C7
  12. Japan Local Government PKI Application CA \ 96:83:38:F1:13:E3:6A:7B:AB:DD:08:F7:77:63:91:A6:87:36:58:2E
  13. Microsec e-Szigno Root CA \ 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
  14. VeriSign Time Stamping CA \ 18:F7:C1:FC:C3:09:02:03:FD:5B:AA:2F:86:1A:75:49:76:C8:DD:25
  15. VeriSign4 \ 24:A4:0A:1F:57:36:43:A6:7F:0A:4B:07:49:F6:A2:2B:F2:8A:BB:6B

This release will remove the following 3 roots:

  1. Buypass Class 2 CA 1 \ A0:A1:AB:90:C9:FC:84:7B:3B:12:61:E8:97:7D:5F:D3:22:61:D3:CC
  2. DST ACES CA X6 \ 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
  3. TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı 2007 \ F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab Title: Jump

Back to top 


April 2018 – Deployment Notice (12/Apr)

0 changes

On Thursday, April 12, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate program that will replace the certificate used to sign the DisallowCert.stl file.

Back to top 


March 2018 - Deployment Notice (29/Mar)

5 changes

On Thursday, March 29, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

 

This release will “NotBefore” the following 4 roots (Root Certificate \ SHA-1 Thumbprint):

 

  1. CA Disig Root R1 \ 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
  2. NetLock Kozjegyzoi (Class A) Tanusitvanykiado \ AC:ED:5F:65:53:FD:25:CE:01:5F:1F:7A:48:3B:6A:74:9F:61:78:C6
  3. Application CA G3 Root \ 6F:38:84:56:8E:99:C8:C6:AC:0E:5D:DE:2D:B2:02:DD:00:2E:36:63
  4. SSL.com EV Root Certification Authority RSA \ 1C:B7:ED:E1:76:BC:DF:EF:0C:86:6F:46:FB:F9:80:E9:01:E5:CE:35

This release will disable the following root: 

  1. Security Communication EV RootCA1 \ FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab Title: Jump

Back to top 


January 2018 - Deployment Notice (30/Jan)

11 changes

On Tuesday, January 30, 2018, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will add 1 new root (Root Certificate \ SHA-1 Thumbprint):

  1. certSIGN Root CA G2 \ 26:F9:93:B4:ED:3D:28:27:B0:B9:4B:A7:E9:15:1D:A3:8D:92:E5:32

This release will modify the friendly name of 4 roots:

  1. AffirmTrust Commercial \ F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7
  2. AffirmTrust Networking \ 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
  3. AffirmTrust Premium \ D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27
  4. AffirmTrust Premium ECC \ B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB

This release will “NotBefore” the following root:

  1. Security Communication EV RootCA1 \ FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D

This release will disable the following root:

  1. Microsoft Root Authority \ A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19

This release will remove the following 4 roots:

  1. WellsSecure Public Root Certificate Authority \ E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
  2. WellsSecure Public Root Certification Authority 01 G2 \ B4:2C:86:C9:57:FD:39:20:0C:45:BB:E3:76:C0:8C:D0:F4:D5:86:DB
  3. Swedish Government Root Authority v1 \ 11:E1:9B:BC:74:7B:1A:ED:0D:B8:33:C9:4C:AC:6C:3F:85:BD:EB:DB
  4. RSA Security 2048 V3 \ 25:01:90:19:CF:FB:D9:99:1C:B7:68:25:74:8D:94:5F:30:93:95:42

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” or “Disable” properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab Title: Jump

Back to top


November 2017 - Deployment Notice (28/Nov)

8 changes

On Tuesday, November 28, 2017, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will add 3 new roots (Root Certificate \ SHA-1 Thumbprint):

  1. OISTE WISeKey Global Root GC CA \ E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31
  2. ATHEX Root CA G2 \ 89:2A:1B:D4:C8:B0:F8:AA:9A:65:ED:4C:B9:D3:BF:48:40:B3:4B:C1
  3. Microsoft Time Stamp Root Certificate Authority 2014 \ 01:19:E8:1B:E9:A1:4C:D8:E2:2F:40:AC:11:8C:68:7E:CB:A3:F4:D8

This release will modify the friendly name of 2 roots:

  1. GlobalSign Root CA \ B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
  2. GlobalSign Root CA -R3 \ D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD

This release will “NotBefore” the following 3 roots:

  1. Izenpe S.A. \4A:3F:8D:6B:DC:0E:1E:CF:CD:72:E3:77:DE:F2:D7:FF:92:C1:9B:C7
  2. Autoridad de Certificacion Raiz de la Republica Bolivariana de Venezuela \ 39:8E:BE:9C:0F:46:C0:79:C3:C7:AF:E0:7A:2F:DD:9F:AE:5F:8A:5C
  3. Autoridad de Certificacion Raiz de la Republica Bolivariana de Venezuela 1 \ DD:83:C5:19:D4:34:81:FA:D4:C2:2C:03:D7:02:FE:9F:3B:22:F5:17

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” property which leaves certificates issued prior to the NotBefore date as valid. This feature is not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


September 2017 - Deployment Notice (26/Sep)

43 changes

On Tuesday, September 26, 2017, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will add 10 new roots (Root Certificate \ SHA-1 Thumbprint):

  1. Netrust Root CA 2 \ 0A:B5:C3:CD:74:48:B8:6D:71:1E:77:A5:49:83:8B:87:CE:52:5F:7F  
  2. AC RAIZ FNMT-RCM \ EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20  
  3. SSC GDL CA Root A \ 0C:20:09:A4:A8:8D:8B:42:02:18:52:50:54:0C:C4:2B:DF:B5:B0:89  
  4. SSC GDL CA VS Root \ D2:69:5E:12:F5:92:E9:C8:EE:2A:4C:B8:D5:5E:29:5F:EE:6B:2D:31  
  5. SSL.com EV Root Certification Authority RSA R2 \ 74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A
  6. GTS Root R1 \ E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8
  7. GTS Root R2 \ D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D
  8. GTS Root R3 \ 30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5  
  9. GTS Root R4 \ 2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB  
  10. Halcom Root CA \ 23:D7:31:FE:DC:5C:8B:B9:7D:E6:DC:8E:13:B4:11:BD:4F:24:00:4F

This release will modify 8 roots that will add or modify the following EKUs/OIDs:

  1. Comsign CA \ E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
  2. Comsign Secured CA \ F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
  3. SZAFIR ROOT CA \ D3:EE:FB:CB:BC:F4:98:67:83:86:26:E2:3B:B5:9C:A0:1E:30:5D:B7
  4. ePKI Root Certification Authority - G2 \ D9:9B:10:42:98:59:47:63:F0:B9:A9:27:B7:92:69:CB:47:DD:15:8B
  5. ePKI Root Certification Authority \ 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0
  6. Baltimore CyberTrust Root \ D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
  7. Swisscom Root CA 2 \ 77:47:4F:C6:30:E4:0F:4C:47:64:3F:84:BA:B8:C6:95:4A:8A:41:EC
  8. GlobalSign Root CA - R6 \ 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1

This release will remove the following root:

  1. Sonera Class1 CA \ 07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF  

This release will “NotBefore” the following 18 roots:

  1. ComSign Advanced Security CA \ 80:BF:3D:E9:A4:1D:76:8D:19:4B:29:3C:85:63:2C:DB:C8:EA:8C:F7  
  2. I.CA – Qualified Certification Authority \ D2:44:1A:A8:C2:03:AE:CA:A9:6E:50:1F:12:4D:52:B6:8F:E4:C3:75  
  3. I.CA První certifikacní autorita a.s 1 \ 64:90:2A:D7:27:7A:F3:E3:2C:D8:CC:1D:C7:9D:E1:FD:7F:80:69:EA
  4. I.CA – Standard Certification Authority \ 90:DE:CE:77:F8:C8:25:34:0E:62:EB:D6:35:E1:BE:20:CF:73:27:DD  
  5. I.CA První certifikacní autorita a.s. \ AB:16:DD:14:4E:CD:C0:FC:4B:AA:B6:2E:CF:04:08:89:6F:DE:52:B7
  6. S-TRUST Authentication and Encryption Root CA 2005:PN \ BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81
  7. E-ME SSI (RCA) \ C9:32:1D:E6:B5:A8:26:66:CF:69:71:A1:8A:56:F2:D3:A8:67:56:02  
  8. VAS Latvijas Pasts SSI(RCA) \ 08:64:18:E9:06:CE:E8:9C:23:53:B6:E2:7F:BD:9E:74:39:F7:63:16
  9. Fabrica Nacional de Moneda y Timbre \ 43:F9:B1:10:D5:BA:FD:48:22:52:31:B0:D0:08:2B:37:2F:EF:9A:54  
  10. AC RAIZ FNMT-RCM \ B8:65:13:0B:ED:CA:38:D2:7F:69:92:94:20:77:0B:ED:86:EF:BC:10  
  11. Skaitmeninio sertifikavimo centras 1 \ 23:E8:33:23:3E:7D:0C:C9:2B:7C:42:79:AC:19:C2:F4:74:D6:04:CA  
  12. Skaitmeninio sertifikavimo centras 2 \ 3E:84:D3:BC:C5:44:C0:F6:FA:19:43:5C:85:1F:3F:2F:CB:A8:E8:14
  13. Skaitmeninio sertifikavimo centras 3 \ 5A:5A:4D:AF:78:61:26:7C:4B:1F:1E:67:58:6B:AE:6E:D4:FE:B9:3F
  14. Swisscom Root CA 1 \ 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51  
  15. Swisscom Root EV CA 2 \ E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B
  16. Halcom CA FO \ 7F:BB:6A:CD:7E:0A:B4:38:DA:AF:6F:D5:02:10:D0:07:C6:C0:82:9C  
  17. Halcom CA PO 2 \ 7F:BB:6A:CD:7E:0A:B4:38:DA:AF:6F:D5:02:10:D0:07:C6:C0:82:9C  
  18. GeoTrust Global CA 2 \ A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D  

This release will “NotBefore” the following 6 roots per Windows Security Blog:

  1. Wosign China \ 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6  
  2. WoSign G2 \ FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1  
  3. WoSign \ B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB  
  4. WoSign ECC \ D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B  
  5. StartCom Certification Authority \ 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F  
  6. StartCom Certification Authority G2 \ 31:F1:FD:68:22:63:20:EE:C6:3B:3F:9D:EA:4A:3E:53:7C:7C:39:17

Windows 10 allows us to stop trusting roots or EKU’s using the “NotBefore” property which leaves certificates issued prior to the NotBefore date as valid. This feature is not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.  The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


June 2017 - Deployment Notice (27/June)

14 changes

On Tuesday, June 27, 2017, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. This release will add 2 new roots:

  1. Application CA G4 Root
  2. PosDigicert Class 2 Root CA G2

This release will Modify 9 roots that will add or remove EKUs/OIDs at our partners’ request:

  1. Signet Root CA
  2. Certum Trusted Network CA
  3. Certum Trusted Network CA 2
  4. QuoVadis Root CA 3
  5. QuoVadis Root Certificate Authority
  6. GlobalSign Root CA - R2
  7. GlobalSign ECC Root CA - R4
  8. SI-TRUST Root
  9. Federal Government Common Policy 

This release will “NotBefore” the following 2 roots at our partners’ request:

  1. Government of Sweden (Försäkringskassan)
  2. TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6

This release will Disable the following root at our partners’ request:

  1. Common Policy

Windows 10 allows us to stop trusting these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change.

Microsoft will release these changes such that Windows 10 devices running the upcoming update will stop accepting the removed EKUs, but, in the event the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs. The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

Back to top


April 2017 - Deployment Notice (25/apr)

16 changes

On Tuesday, April 25, 2017, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. This release will add 2 new roots:

  1. SI-TRUST Root
  2. Swiss Government Root III

This release will Modify 8 roots that will add or remove EKUs/OIDs at our partners’ request:

  1. TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6Government of Sweden (Försäkringskassan)
  2. TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı 2007
  3. IdenTrust Commercial Root CA 1
  4. IdenTrust Public Sector Root CA 1
  5. DST Root CA X3
  6. TeliaSonera Root CA v1
  7. LuxTrust Global Root 2
  8. LuxTrust Global Root CA

This release will Disable / “NotBefore” the following 4 roots:

  1. Microsec e-Szigno Root CA
  2. Microsoft Root Certificate Authority
  3. Sigen-CA
  4. Sigov-CA

This release will Disable the following 2 roots at our partners’ request:

  1. WellsSecure Public Root Certificate Authority
  2. Japanese Government ApplicationCA

Windows 10 allows us to stop trusting these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change.

Microsoft will release these changes such that Windows 10 devices running the upcoming update will stop accepting the removed EKUs, but, in the event the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs. The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

 

Back to top


March 2017 - Deployment Notice (07/March)

36 changes

On Tuesday, March 7, 2017, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. This release will add 7 new roots:

  1. Security Communication ECC RootCA1 a
  2. Security Communication RootCA3
  3. Chambers of Commerce Root – 2016
  4. Global Chambersign Root – 2016
  5. Network Solutions RSA Certificate Authority
  6. Network Solutions ECC Certificate Authority
  7. Government of Australia (Australian Defence Public Root CA)

This release will Modify 15 roots that will add or remove EKUs/OIDs at our partners’ request:

  1. Swedish Government Root Authority v3
  2. Government of Sweden (Försäkringskassan)
  3. OpenTrust Root CA G1
  4. OpenTrust Root CA G2
  5. OpenTrust Root CA G3
  6. CertPlus Root CA G1
  7. CertPlus Root CA G2
  8. Symantec Class 1 Public Primary Certification Authority - G6
  9. Symantec Class 2 Public Primary Certification Authority - G6
  10. Federal Government Common Policy
  11. Certigna
  12. WellsSecure Public Root Certificate Authority
  13. EC-ACC
  14. ePKI Root Certification Authority - G2
  15. UCA Extended Validation Root

This release will Disable (NotBefore) the following 14 roots at our partners’ request:

  1. CertEurope
  2. Buypass Class 2 CA 1
  3. Root CA Generalitat Valenciana
  4. Certipost E-Trust Primary TOP Root CA
  5. Certipost E-Trust Primary Qualified CA
  6. Certipost E-Trust Primary Normalised CA
  7. Japan Local Government PKI Application CA
  8. Staat der Nederlanden Root CA
  9. VeriSign4
  10. VeriSign Time Stamping CA
  11. GTE CyberTrust Global Root
  12. SecureSign RootCA1
  13. SecureSign RootCA2
  14. SecureSign RootCA3 Windows 10 allows us to stop trusting these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change.

Windows 10 allows us to stop trusting these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change.

Microsoft will release these changes such that Windows 10 devices running the upcoming update will stop accepting the removed EKUs, but, in the event the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs. The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

 

Back to top


November 2016 - Deployment Notice (16/Nov.)

19 changes

On Wednesday, November 16, 2016, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. This release will add 2 new roots for SHECA (UCA Extended Validation Root) and (UCA Global G2).

This release will disallow the following 5 roots at our partners’ request:

  1. AS Sertifitseerimiskeskus;
  2. Actalis Authentication CA G1;
  3. Secretaria de Economia Mexico;
  4. WoSign 1999 and
  5. Signet Root CA.

Windows 10 allows us to stop trusting these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change. This release will modify 3 roots that will add or remove EKUs at our partners’ request. The roots to be modified are ANCERT Certificados CGN V2, ANCERT Certificados Notariales V2, Cisco Root CA 2048.

Finally, 9 roots will be removed that were disabled during September release and do not have code sign or time stamp EKUs. The roots that will be removed are

  1. JCAN Root CA1,
  2. E-GUVEN Kok Elektronik Sertifika Hizmet Saglayicisi S2,
  3. E-GUVEN Kok Elektronik Sertifika Hizmet Saglayicisi S3,
  4. Buypass Class 3 CA 1,
  5. Trustis EVS Root CA,
  6. Autoridad Certificadora Raiz de la Secretaria de Economia,
  7. D-TRUST GmbH,
  8. D-TRUST GmbH 1 and
  9. UTN-USERFirst-Network Applications.

Microsoft will release these changes such that Windows 10 devices running the upcoming update will stop accepting the removed EKUs, but, in the event the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs. The update package will be available for download and testing at http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

 

Back to top


September 2016 - Deployment Notice (29/Sep)

On September 29, 2016, Microsoft released its planned quarterly-update to the Microsoft Trusted Root Program that included adding 14 new roots, and modifying capabilities for 29 other roots. The most-current list of roots can be found at http://aka.ms/trustcertpartners.

 

Back to top


April 2016 - Deployment Notice (26/Apr)

On Tuesday, April 26, 2016, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program. This release will add new roots for Digicert (Hotspot 2.0 Trust Root CA – 03); Certigna (Certigna Root CA); Trustcor (TrustCor RootCert CA-2, TrustCor ECA-1).

This release will remove the following roots at our partners’ request: CA Disig a.s.; CCA India 2011; TrustCor RootCert CA-1; TrustCor RootCert CA-2 (the root above replaces this one). Unlike past releases, however, Microsoft is implementing new functionality in Windows 10 that allows us to remove these roots while leaving existing Authenticode certificates as valid. Prior operating systems will be unaffected by this change.

Finally, this release will modify several roots to remove EKUs at our partners’ request. The roots to be modified are VeriSign Class 3 Public Primary CA, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5, TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı. Microsoft will release these changes such that Windows 10 devices running the upcoming summer update will stop accepting the removed EKUs, but, in the event that the root is cross signed by another valid root, the OS will validate the certificate using the valid roots. As with the removals, older operating systems will not be affected by the removal of these EKUs. The update package is available for download and testing at

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test/authrootstl.cab

 

Back to top


January 2016 - Deployment Notice (28/jan)

On January 28, 2016, Microsoft’s Trusted Root Certificate Program released an unscheduled update to the Trusted Root Store to restore additional EKUs on the VeriSign Class 3 Public Primary CA root. This update does not contain any other changes.

For the most-current list of Program participants and enrolled roots, please see http://aka.ms/trustcertpartners.

 

Back to top


January 2016 - Deployment Notice (25/jan)

On January 25, 2016, Microsoft’s Trusted Root Certificate Program released an unscheduled update to the Trusted Root Store to restore EKUs on the VeriSign Class 3 Public Primary CA root and to add the Symantec Enterprise Mobile Root for Microsoft. This update does not contain any other changes.

Please note: As part of this release, Microsoft also updated the Untrusted CTL time stamp and sequence number. No changes were made to the contents of the Untrusted CTL but this will cause your system to download/refresh the Untrusted CTL. This is a normal update that is sometimes done when the Trusted Root CTL is updated.

For the most-current list of Program participants and enrolled roots, please see http://aka.ms/trustcertpartners.

 

Back to top


January 2016 - Deployment Notice (20/jan)

On January 20, 2016, Microsoft's Trusted Root Certificate Program released a scheduled update to the Trusted Root Store. This update includes adding new partner roots, updating existing roots, and removing certain roots.

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants.

 

Back to top


January 2016 - Deployment Notice - Participants Subject to Removal (19/jan)

The next update of the Microsoft Trusted Root Program is scheduled for January 19, 2016. The focus of this release is to remove roots are out of compliance with the Program rules. The roots below are currently subject to removal. Customers that rely on certificates issued by the companies below are encouraged to contact the company to determine how the removal will impact their business.

CA Subject to Removal Reason for Removal Root Subject to Removal
DanID Audit DanID
e-Tugra Audit EBG Elektronik Sertifika Hizmet Saglayicisi
e-Tugra Audit E-Tugra Certification Authority
Wells Fargo Audit WellsSecure Public Certificate Authority
Wells Fargo Audit WellsSecure Public Root Certification Authority 01 G2
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA1
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA2
CyberTrust Contract Compliance Japan Certification Services, Inc. SecureSign RootCA3
E-Certchile Contract Compliance E-Certchile Root CA
Nova Ljubljanska Contract Compliance NLB Nova Ljubljanska Banka d.d. Ljubljana
Post.Trust Contract Compliance Post.Trust Root CA
Serasa Contract Compliance Serasa Certificate Authority I
Serasa Contract Compliance Serasa Certificate Authority II
Serasa Contract Compliance Serasa Certificate Authority III

 

Back to top


November 2015 - Deployment Notice

On November 23, 2015, Microsoft's Trusted Root Certificate Program released a scheduled update to the Trusted Root Store. This update includes adding new partner roots, updating existing roots, and removing certain roots at our partners' request.

For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants

&nbps;

Back to top


September 2015 - Deployment Notice

On September 1, 2015, Microsoft s Trusted Root Certificate Program will release an unscheduled update to the Trusted Root Store to update the expiration of the A-Trust-NQual-03 root. This update does not contain any other changes.

To download the new root package for testing, please visit http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test

For the most-current list of Program participants and enrolled roots, please see http://aka.ms/trustcertpartners.

 

Back to top


August 2015 - Deployment Notice

On August 18, 2015, Microsoft’s Trusted Root Certificate Program will release a scheduled update to the Trusted Root Store. This update will include the addition of EKUs to roots owned by two current partners of Microsoft’s Trusted Root Certificate Program: Guang Dong Certificate Authority, based out of China, and Government of India, CCA.

Microsoft will be enabling Guang Dong’s root, GDCA TrustAUTH R5 ROOT, for EV (Extended Validation); Microsoft will be enabling the Government of India, CCA’s root, CCA India 2015, for Server Authentication and Code Signing. To download the new root package for testing, please visit http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test

 

Back to top