Identrust EV Certificate Roots Not Loaded By Microsoft

Question

Identrust EV Certificate Roots Not Loaded By Microsoft

Richard Zarr 21

This is a follow-up question from a previous post (Defender SmartScreen Blocking Valid EV Code Certificate). Identrust (The EV Certificate provider) is claiming that this is not their fault at all, but rather Microsoft's in that they have not loaded their root certificates correctly. Here's the diagnostics from our certificate (see below). You will note there are "Wrong Issuer" errors in the chain, and this has been this way for over 45 days. So, is anyone else seeing this issue and what can we do about it (other than using another EV cert provider - which we are very open to right now if anyone has a suggestion). We are dead in the water and really could use some expertise!

Issuer:  
    CN=TrustID EV Code Signing CA 3  
    O=IdenTrust  
    C=US  
  Name Hash(sha1): 0873edd6480ff39fb261e4b3df26f285e3b55c7d  
  Name Hash(md5): 750f1c6fba829034a33aa53f460018eb  
Subject:  
    CN=STRASIS SYSTEMS LLC  
    OU=Strasis Systems  
    O=STRASIS SYSTEMS LLC  
    OID.2.5.4.15=Private Organization  
    OID.1.3.6.1.4.1.311.60.2.1.2=Florida  
    OID.1.3.6.1.4.1.311.60.2.1.3=US  
    SERIALNUMBER=L11000091926  
    L=Sanford  
    S=Florida  
    C=US  
  Name Hash(sha1): e3596c17d4931b29ba292711dfa9cc00a1e2280d  
  Name Hash(md5): 3bc34772b10c179dd5ab32f3a4d44efd  
Cert Serial Number: 40017ed631aaaab42e6591a8e3f7d7e3  
  
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)  
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)  
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)  
HCCE_LOCAL_MACHINE  
CERT_CHAIN_POLICY_BASE  
-------- CERT_CHAIN_CONTEXT --------  
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
ChainContext.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds  
  
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
SimpleChain.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds  
  
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0  
  Issuer: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US  
  NotBefore: 2/7/2022 5:58 PM  
  NotAfter: 5/20/2022 5:58 PM  
  Subject: CN=STRASIS SYSTEMS LLC, OU=Strasis Systems, O=STRASIS SYSTEMS LLC, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Florida, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=L11000091926, L=Sanford, S=Florida, C=US  
  Serial: 40017ed631aaaab42e6591a8e3f7d7e3  
  Cert: 1113f8a10f3108806bed15c44e2efba98b52f099  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  Verified "Certificate (0)" Time: 1 b82e9fd70413f7ecd4eddb368de44e75feeebe6c  
    [0.0] http://validation.identrust.com/certs/trustidevcodesigning3.p7c  
  
  Wrong Issuer "Certificate (1)" Time: 1 df717eaa4ad94ec9558499602d48de5fbcf03a25  
    [0.1] http://validation.identrust.com/certs/trustidevcodesigning3.p7c  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (01d6)" Time: 0 86dd0431c1150a4b00d5ca4c500d52d3202208a5  
    [0.0] http://validation.identrust.com/crl/trustidevcodesigning3.crl  
  
  ----------------  Base CRL CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  Verified "OCSP" Time: 0 fdaf3e1ecaf8a043b20a716c13a493147c08e35f  
    [0.0] http://commercial.ocsp.identrust.com  
  
  --------------------------------  
    CRL (null):  
    Issuer: CN=TrustID Code Signing CA 3 OCSP Signer, O=IdenTrust, C=US  
    ThisUpdate: 4/4/2022 11:18 AM  
    NextUpdate: 4/5/2022 11:18 AM  
    CRL: 9747e94dcdb3b0e1a4c697064dc7bd5fbe121916  
  Issuance[0] = 2.23.140.1.3  
  Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing  
  
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0  
  Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
  NotBefore: 8/20/2021 4:20 PM  
  NotAfter: 8/20/2029 4:20 PM  
  Subject: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US  
  Serial: 40017b6539031240c2d47f8e6ca4f5cc  
  Cert: b82e9fd70413f7ecd4eddb368de44e75feeebe6c  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  Wrong Issuer "Certificate (0)" Time: 0 dac9024f54d8f6df94935fb1732638ca6ad77c13  
    [0.0] http://validation.identrust.com/roots/commercialrootca1.p7c  
  
  Verified "Certificate (1)" Time: 0 890ff22a017207912a75c4747623dc65a1eee8d6  
    [0.1] http://validation.identrust.com/roots/commercialrootca1.p7c  
  
  Verified "Certificate (2)" Time: 0 df717eaa4ad94ec9558499602d48de5fbcf03a25  
    [0.2] http://validation.identrust.com/roots/commercialrootca1.p7c  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (7d)" Time: 0 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763  
    [0.0] http://validation.identrust.com/crl/commercialrootca1.crl  
  
  ----------------  Base CRL CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  Verified "OCSP" Time: 0 5dc3c7353a9421ec93122e50796d3ee0b8b5f728  
    [0.0] http://commercial.ocsp.identrust.com  
  
  --------------------------------  
    CRL 7d:  
    Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
    ThisUpdate: 3/30/2022 2:26 PM  
    NextUpdate: 4/29/2022 2:26 PM  
    CRL: 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763  
  Issuance[0] = 2.23.140.1.3  
  Issuance[1] = 2.16.840.1.113839.0.6.14.1  
  Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing  
  
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0  
  Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
  NotBefore: 1/16/2014 2:12 PM  
  NotAfter: 1/16/2034 2:12 PM  
  Subject: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
  Serial: 0a0142800000014523c844b500000002  
  Cert: df717eaa4ad94ec9558499602d48de5fbcf03a25  
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)  
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication  
  Application[1] = 1.3.6.1.5.5.7.3.3 Code Signing  
  Application[2] = 1.3.6.1.4.1.311.10.3.12 Document Signing  
  Application[3] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System  
  Application[4] = 1.3.6.1.5.5.7.3.4 Secure Email  
  Application[5] = 1.3.6.1.5.5.7.3.1 Server Authentication  
  Application[6] = 1.3.6.1.5.5.7.3.8 Time Stamping  
  EV[0] = 2.16.840.1.113839.0.6.9  
  EV[1] = 2.23.140.1.1  
  EV[2] = 2.16.840.1.113839.0.6.14.1  
  EV[3] = 2.23.140.1.3  
  
Exclude leaf cert:  
  Chain: 0e1c2395120fa71dff627115edbdf07c74ee229e  
Full chain:  
  Chain: 4c7f915ca5374fab4d8c036365db836600821881  
EV Cert  
------------------------------------  
Verified Issuance Policies:  
    2.23.140.1.3  
Verified Application Policies:  
    1.3.6.1.5.5.7.3.3 Code Signing  
Verified Extended Validation (EV) Policies:  
    2.23.140.1.3  
Extended Validation Certificate  
Cert is an End Entity certificate  
Leaf certificate revocation check passed

Richard Zarr 21 Reputation points

2022-04-05T16:16:26.967+00:00

We have had a request from Gary Renolds to post a PEM version of the certificate. I cannot see his comments here, but on his page I see that he commented and there is 1 answer - but it does not show here. Can someone explain this?
Gary Reynolds 9,621 Reputation points

2022-04-05T20:39:17.347+00:00

I deleted my comment as I was able to get a sample cert from the indentrust website and reproduce the error. I assume that someone else added a comment and deleted as well, unless the system counts my deletion as an answer.

As for your issue, sorry I ran out of stream last night track back through the various AIAs and CRLs to understand the wrong issuer error. Did indentrust provide any details on what Microsoft had implemented incorrectly, I'm assuming that they have escalated this to Microsoft!

Gary.
Richard Zarr 21 Reputation points

2022-04-05T21:09:38.737+00:00

Identrust says, "Your certificate is failing because it is checking against Microsoft’s root store, which does not have the updated EV code signing root in it. We are still waiting and trying to get an update about when that will get added so they will test/function properly in Microsoft’s systems". We've been unable to publish with out receiving browser warnings and SmartScreen warnings since they re-issued our cert due to some "root issue" where they were forced to re-issue ALL EV Code Signing Certificates in 5 days. We had no warning and have been trying to figure this out for almost 2 months!!
Gary Reynolds 9,621 Reputation points

2022-04-05T22:16:46.41+00:00

Having to reissuing the root certificate is a significant event, and would be of some concern. I believe getting a new root cert added to the list of trusted root certs, is not a simple or quick task, then all your users will need to install the update to get the new root cert added. If you are working to a tight deadline, it would be quick and easier to use a different provider.

And just to add, this shouldn't be classed as a Microsoft issue, root certificates are measured in years, and the planning for their issuing is the same. Reissuing the root without the replacement already available on the user's platform is a provider induced issue.

Gary.
Richard Zarr 21 Reputation points

2022-04-06T13:13:27.103+00:00

We are in agreement here... sounds like Identrust completely failed on this - not sure why. We are looking for a new provider - and we do not want to go through this again. Have you (or anyone else) had luck with DigiCert? Any other provider recommendations... we thought that a company owned by HID Global would be outstanding... not so much.

Our goal is to get around all the browser warning (e.g. "this software has not been downloaded often, are you sure...") and the Defender SmartScreen warnings - thus the EV Code Signing Certificate. We've been publishing software since 2011 - mostly custom jobs, so now we are trying our hand at a commercial package. Any advice is very welcome!
Gary Reynolds 9,621 Reputation points

2022-04-07T04:40:48.713+00:00

Hi Richard,

Yeah I've used DigiCert previously, didn't have issues with them. Their certificate management console, works well.

1 answer

Your answer

Richard Zarr 21 Reputation points

2022-04-05T16:16:26.967+00:00

We have had a request from Gary Renolds to post a PEM version of the certificate. I cannot see his comments here, but on his page I see that he commented and there is 1 answer - but it does not show here. Can someone explain this?
Gary Reynolds 9,621 Reputation points

2022-04-05T20:39:17.347+00:00

I deleted my comment as I was able to get a sample cert from the indentrust website and reproduce the error. I assume that someone else added a comment and deleted as well, unless the system counts my deletion as an answer.

As for your issue, sorry I ran out of stream last night track back through the various AIAs and CRLs to understand the wrong issuer error. Did indentrust provide any details on what Microsoft had implemented incorrectly, I'm assuming that they have escalated this to Microsoft!

Gary.
Richard Zarr 21 Reputation points

2022-04-05T21:09:38.737+00:00

Identrust says, "Your certificate is failing because it is checking against Microsoft’s root store, which does not have the updated EV code signing root in it. We are still waiting and trying to get an update about when that will get added so they will test/function properly in Microsoft’s systems". We've been unable to publish with out receiving browser warnings and SmartScreen warnings since they re-issued our cert due to some "root issue" where they were forced to re-issue ALL EV Code Signing Certificates in 5 days. We had no warning and have been trying to figure this out for almost 2 months!!
Gary Reynolds 9,621 Reputation points

2022-04-05T22:16:46.41+00:00

Having to reissuing the root certificate is a significant event, and would be of some concern. I believe getting a new root cert added to the list of trusted root certs, is not a simple or quick task, then all your users will need to install the update to get the new root cert added. If you are working to a tight deadline, it would be quick and easier to use a different provider.

And just to add, this shouldn't be classed as a Microsoft issue, root certificates are measured in years, and the planning for their issuing is the same. Reissuing the root without the replacement already available on the user's platform is a provider induced issue.

Gary.
Richard Zarr 21 Reputation points

2022-04-06T13:13:27.103+00:00

We are in agreement here... sounds like Identrust completely failed on this - not sure why. We are looking for a new provider - and we do not want to go through this again. Have you (or anyone else) had luck with DigiCert? Any other provider recommendations... we thought that a company owned by HID Global would be outstanding... not so much.

Our goal is to get around all the browser warning (e.g. "this software has not been downloaded often, are you sure...") and the Defender SmartScreen warnings - thus the EV Code Signing Certificate. We've been publishing software since 2011 - mostly custom jobs, so now we are trying our hand at a commercial package. Any advice is very welcome!
Gary Reynolds 9,621 Reputation points

2022-04-07T04:40:48.713+00:00

Hi Richard,

Yeah I've used DigiCert previously, didn't have issues with them. Their certificate management console, works well.

Answer 1

Hello @Richard Zarr

If Identrust is part of the Root certificate list of Microsoft it should get updated by the system.

You can check the current list with:

Get-Childitem cert:\LocalMachine\root |format-list

The update operation is regulated through the policy:

Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication. : Turn off Automatic Root Certificates Update (Set as "Disabled" to allow update).

You can also check the latest Root Certificate list from Microsoft by running:

certutil.exe -generateSSTFromWU C:\PS\roots.sst   (this will generate a SST file, which will contain all the current certificates to be updated)

Then you can sync all the certificates from the .SST file using the next script:

$sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )  
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

If the Identrust does not appear in the SST file, that means that Microsoft have not included that Authority as trusted, and Identrust should get in touch with Microsoft to be included.

Hope this helps with your query,

-----------

--If the reply is helpful, please Upvote and Accept as answer--

Share via

Identrust EV Certificate Roots Not Loaded By Microsoft

1 answer

Your answer