This is a follow-up question from a previous post (Defender SmartScreen Blocking Valid EV Code Certificate). Identrust (The EV Certificate provider) is claiming that this is not their fault at all, but rather Microsoft's in that they have not loaded their root certificates correctly. Here's the diagnostics from our certificate (see below). You will note there are "Wrong Issuer" errors in the chain, and this has been this way for over 45 days. So, is anyone else seeing this issue and what can we do about it (other than using another EV cert provider - which we are very open to right now if anyone has a suggestion). We are dead in the water and really could use some expertise!
Issuer:
CN=TrustID EV Code Signing CA 3
O=IdenTrust
C=US
Name Hash(sha1): 0873edd6480ff39fb261e4b3df26f285e3b55c7d
Name Hash(md5): 750f1c6fba829034a33aa53f460018eb
Subject:
CN=STRASIS SYSTEMS LLC
OU=Strasis Systems
O=STRASIS SYSTEMS LLC
OID.2.5.4.15=Private Organization
OID.1.3.6.1.4.1.311.60.2.1.2=Florida
OID.1.3.6.1.4.1.311.60.2.1.3=US
SERIALNUMBER=L11000091926
L=Sanford
S=Florida
C=US
Name Hash(sha1): e3596c17d4931b29ba292711dfa9cc00a1e2280d
Name Hash(md5): 3bc34772b10c179dd5ab32f3a4d44efd
Cert Serial Number: 40017ed631aaaab42e6591a8e3f7d7e3
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US
NotBefore: 2/7/2022 5:58 PM
NotAfter: 5/20/2022 5:58 PM
Subject: CN=STRASIS SYSTEMS LLC, OU=Strasis Systems, O=STRASIS SYSTEMS LLC, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Florida, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=L11000091926, L=Sanford, S=Florida, C=US
Serial: 40017ed631aaaab42e6591a8e3f7d7e3
Cert: 1113f8a10f3108806bed15c44e2efba98b52f099
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 1 b82e9fd70413f7ecd4eddb368de44e75feeebe6c
[0.0] http://validation.identrust.com/certs/trustidevcodesigning3.p7c
Wrong Issuer "Certificate (1)" Time: 1 df717eaa4ad94ec9558499602d48de5fbcf03a25
[0.1] http://validation.identrust.com/certs/trustidevcodesigning3.p7c
---------------- Certificate CDP ----------------
Verified "Base CRL (01d6)" Time: 0 86dd0431c1150a4b00d5ca4c500d52d3202208a5
[0.0] http://validation.identrust.com/crl/trustidevcodesigning3.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0 fdaf3e1ecaf8a043b20a716c13a493147c08e35f
[0.0] http://commercial.ocsp.identrust.com
--------------------------------
CRL (null):
Issuer: CN=TrustID Code Signing CA 3 OCSP Signer, O=IdenTrust, C=US
ThisUpdate: 4/4/2022 11:18 AM
NextUpdate: 4/5/2022 11:18 AM
CRL: 9747e94dcdb3b0e1a4c697064dc7bd5fbe121916
Issuance[0] = 2.23.140.1.3
Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
NotBefore: 8/20/2021 4:20 PM
NotAfter: 8/20/2029 4:20 PM
Subject: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US
Serial: 40017b6539031240c2d47f8e6ca4f5cc
Cert: b82e9fd70413f7ecd4eddb368de44e75feeebe6c
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0 dac9024f54d8f6df94935fb1732638ca6ad77c13
[0.0] http://validation.identrust.com/roots/commercialrootca1.p7c
Verified "Certificate (1)" Time: 0 890ff22a017207912a75c4747623dc65a1eee8d6
[0.1] http://validation.identrust.com/roots/commercialrootca1.p7c
Verified "Certificate (2)" Time: 0 df717eaa4ad94ec9558499602d48de5fbcf03a25
[0.2] http://validation.identrust.com/roots/commercialrootca1.p7c
---------------- Certificate CDP ----------------
Verified "Base CRL (7d)" Time: 0 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763
[0.0] http://validation.identrust.com/crl/commercialrootca1.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0 5dc3c7353a9421ec93122e50796d3ee0b8b5f728
[0.0] http://commercial.ocsp.identrust.com
--------------------------------
CRL 7d:
Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
ThisUpdate: 3/30/2022 2:26 PM
NextUpdate: 4/29/2022 2:26 PM
CRL: 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763
Issuance[0] = 2.23.140.1.3
Issuance[1] = 2.16.840.1.113839.0.6.14.1
Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
NotBefore: 1/16/2014 2:12 PM
NotAfter: 1/16/2034 2:12 PM
Subject: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
Serial: 0a0142800000014523c844b500000002
Cert: df717eaa4ad94ec9558499602d48de5fbcf03a25
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0 (null)
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.3 Code Signing
Application[2] = 1.3.6.1.4.1.311.10.3.12 Document Signing
Application[3] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
Application[4] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[5] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[6] = 1.3.6.1.5.5.7.3.8 Time Stamping
EV[0] = 2.16.840.1.113839.0.6.9
EV[1] = 2.23.140.1.1
EV[2] = 2.16.840.1.113839.0.6.14.1
EV[3] = 2.23.140.1.3
Exclude leaf cert:
Chain: 0e1c2395120fa71dff627115edbdf07c74ee229e
Full chain:
Chain: 4c7f915ca5374fab4d8c036365db836600821881
EV Cert
------------------------------------
Verified Issuance Policies:
2.23.140.1.3
Verified Application Policies:
1.3.6.1.5.5.7.3.3 Code Signing
Verified Extended Validation (EV) Policies:
2.23.140.1.3
Extended Validation Certificate
Cert is an End Entity certificate
Leaf certificate revocation check passed