Share via

Windows App Service does not include certSIGN ROOT CA

Calway 41 Reputation points
2022-09-28T11:45:00.063+00:00

We were notified by an external vendor that they are changing their certificates and it will now be signed by certSIGN ROOT CA. I noticed that this certificate root is NOT present in the Windows App Service, but IS present in the Linux App Service.

Can anyone tell me if the Windows App Service will (very shortly) support this root CA and or why Linux support much more ROOT CA than the Windows variant?

Windows:
Subject : CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject : CN=Microsoft Internal Corporate Root
Subject : CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
Subject : CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject : CN=SAS-CP1SASCA01-CA, DC=SAS, DC=MSFT, DC=NET
Subject : CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA
Subject : CN=Microsoft Assurance Designation Root 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject : CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.
Subject : CN=SAW HRE CA, OU=SAW, O=SAS
Subject : CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, C=US
Subject : CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject : CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
Subject : CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject : CN=Microsoft Services Partner Root, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject : CN=ameroot, DC=AME, DC=GBL
Subject : CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject : OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network
Subject : OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network
Subject : CN=Certification Authority of WoSign G2, O=WoSign CA Limited, C=CN
Subject : CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Subject : CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject : CN=DST Root CA X3, O=Digital Signature Trust Co.
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Subject : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Subject : CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB
Subject : CN=Certification Authority of WoSign, O=WoSign CA Limited, C=CN
Subject : CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Subject : CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Subject : OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Subject : CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject : CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Subject : CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE
Subject : CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
Subject : CN=CNNIC ROOT, O=CNNIC, C=CN
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
Subject : CN=Staat der Nederlanden EV Root CA, O=Staat der Nederlanden, C=NL
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Subject : OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Subject : CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject : CN=Cybertrust Global Root, O="Cybertrust, Inc"
Subject : CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
Subject : CN=China Internet Network Information Center EV Certificates Root, O=China Internet Network Information Center, C=CN
Subject : CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Subject : CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Subject : OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Subject : CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Linux:

ACCVRAIZ1.pem
AC_RAIZ_FNMT-RCM.pem
Actalis_Authentication_Root_CA.pem
AffirmTrust_Commercial.pem
AffirmTrust_Networking.pem
AffirmTrust_Premium.pem
AffirmTrust_Premium_ECC.pem
Amazon_Root_CA_1.pem
Amazon_Root_CA_2.pem
Amazon_Root_CA_3.pem
Amazon_Root_CA_4.pem
Atos_TrustedRoot_2011.pem
Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
Baltimore_CyberTrust_Root.pem
Buypass_Class_2_Root_CA.pem
Buypass_Class_3_Root_CA.pem
CA_Disig_Root_R2.pem
CFCA_EV_ROOT.pem
COMODO_Certification_Authority.pem
COMODO_ECC_Certification_Authority.pem
COMODO_RSA_Certification_Authority.pem
Certigna.pem
Certigna_Root_CA.pem
Certum_Trusted_Network_CA.pem
Certum_Trusted_Network_CA_2.pem
Chambers_of_Commerce_Root_-_2008.pem
Comodo_AAA_Services_root.pem
Cybertrust_Global_Root.pem
D-TRUST_Root_Class_3_CA_2_2009.pem
D-TRUST_Root_Class_3_CA_2_EV_2009.pem
DST_Root_CA_X3.pem
DigiCert_Assured_ID_Root_CA.pem
DigiCert_Assured_ID_Root_G2.pem
DigiCert_Assured_ID_Root_G3.pem
DigiCert_Global_Root_CA.pem
DigiCert_Global_Root_G2.pem
DigiCert_Global_Root_G3.pem
DigiCert_High_Assurance_EV_Root_CA.pem
DigiCert_Trusted_Root_G4.pem
E-Tugra_Certification_Authority.pem
EC-ACC.pem
EE_Certification_Centre_Root_CA.pem
Entrust.net_Premium_2048_Secure_Server_CA.pem
Entrust_Root_Certification_Authority.pem
Entrust_Root_Certification_Authority_-_EC1.pem
Entrust_Root_Certification_Authority_-_G2.pem
Entrust_Root_Certification_Authority_-_G4.pem
GDCA_TrustAUTH_R5_ROOT.pem
GTS_Root_R1.pem
GTS_Root_R2.pem
GTS_Root_R3.pem
GTS_Root_R4.pem
GeoTrust_Global_CA.pem
GeoTrust_Primary_Certification_Authority.pem
GeoTrust_Primary_Certification_Authority_-_G2.pem
GeoTrust_Primary_Certification_Authority_-_G3.pem
GeoTrust_Universal_CA.pem
GeoTrust_Universal_CA_2.pem
GlobalSign_ECC_Root_CA_-_R4.pem
GlobalSign_ECC_Root_CA_-_R5.pem
GlobalSign_Root_CA.pem
GlobalSign_Root_CA_-_R2.pem
GlobalSign_Root_CA_-_R3.pem
GlobalSign_Root_CA_-_R6.pem
Global_Chambersign_Root_-_2008.pem
Go_Daddy_Class_2_CA.pem
Go_Daddy_Root_Certificate_Authority_-_G2.pem
Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
Hongkong_Post_Root_CA_1.pem
Hongkong_Post_Root_CA_3.pem
ISRG_Root_X1.pem
IdenTrust_Commercial_Root_CA_1.pem
IdenTrust_Public_Sector_Root_CA_1.pem
Izenpe.com.pem
LuxTrust_Global_Root_2.pem
Microsec_e-Szigno_Root_CA_2009.pem
'NetLock_Arany_=Class_Gold=_F'$'\305\221''tan'$'\303\272''s'$'\303\255''tv'$'\303\241''ny.pem'
Network_Solutions_Certificate_Authority.pem
OISTE_WISeKey_Global_Root_GA_CA.pem
OISTE_WISeKey_Global_Root_GB_CA.pem
OISTE_WISeKey_Global_Root_GC_CA.pem
QuoVadis_Root_CA.pem
QuoVadis_Root_CA_1_G3.pem
QuoVadis_Root_CA_2.pem
QuoVadis_Root_CA_2_G3.pem
QuoVadis_Root_CA_3.pem
QuoVadis_Root_CA_3_G3.pem
SSL.com_EV_Root_Certification_Authority_ECC.pem
SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
SSL.com_Root_Certification_Authority_ECC.pem
SSL.com_Root_Certification_Authority_RSA.pem
SZAFIR_ROOT_CA2.pem
SecureSign_RootCA11.pem
SecureTrust_CA.pem
Secure_Global_CA.pem
Security_Communication_RootCA2.pem
Security_Communication_Root_CA.pem
Sonera_Class_2_Root_CA.pem
Staat_der_Nederlanden_EV_Root_CA.pem
Staat_der_Nederlanden_Root_CA_-_G2.pem
Staat_der_Nederlanden_Root_CA_-_G3.pem
Starfield_Class_2_CA.pem
Starfield_Root_Certificate_Authority_-_G2.pem
Starfield_Services_Root_Certificate_Authority_-_G2.pem
SwissSign_Gold_CA_-_G2.pem
SwissSign_Silver_CA_-_G2.pem
T-TeleSec_GlobalRoot_Class_2.pem
T-TeleSec_GlobalRoot_Class_3.pem
TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
TWCA_Global_Root_CA.pem
TWCA_Root_Certification_Authority.pem
Taiwan_GRCA.pem
TeliaSonera_Root_CA_v1.pem
TrustCor_ECA-1.pem
TrustCor_RootCert_CA-1.pem
TrustCor_RootCert_CA-2.pem
Trustis_FPS_Root_CA.pem
UCA_Extended_Validation_Root.pem
UCA_Global_G2_Root.pem
USERTrust_ECC_Certification_Authority.pem
USERTrust_RSA_Certification_Authority.pem
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
VeriSign_Universal_Root_Certification_Authority.pem
Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
XRamp_Global_CA_Root.pem
ca-certificates.crt
certSIGN_ROOT_CA.pem
ePKI_Root_Certification_Authority.pem
emSign_ECC_Root_CA_-_C3.pem
emSign_ECC_Root_CA_-_G3.pem
emSign_Root_CA_-_C1.pem
emSign_Root_CA_-_G1.pem
thawte_Primary_Root_CA.pem
thawte_Primary_Root_CA_-_G2.pem
thawte_Primary_Root_CA_-_G3.pem

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,933 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. brtrach-MSFT 17,731 Reputation points Microsoft Employee Moderator
    2022-10-04T02:20:08.49+00:00

    Windows comes with very few Root CAs installed by default, and when an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.

    To make this initial request, you can open Kudo console and run:

    $ProgressPreference="SilentlyContinue"
    invoke-webrequest -usebasicparsing https://valid-isrgrootx1.letsencrypt.org

    This will make the initial call to the endpoint issued by this Certificate Authority which will install on the worker.

    Refresh the Kudo console (F5) and run the command below to confirm the installation: 

              get-childitem -path cert:\LocalMachine\Root  -Recurse | Where-Object { $_.Thumbprint -like "CABD2A79A1076A31F21D253635CB039D4329A5E8" }

    Make sure to run on all instances used by the app.

    The command is just a test, and it uses a letsencrypt certificate endpoint as an example. If the root CA is not present on the machine, the web app will make an outbound network connection to Windows Update and if the root CA is present in the trusted root program, then it reaches out and acquires that cert.

    Due to the outbound nature of the call, you will need to ensure any firewall will not get in the way.

    Can you please attempt this and let us know the results?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.