Identrust EV Certificate Roots Not Loaded By Microsoft

Richard Zarr 21 Reputation points
2022-04-04T16:06:16.41+00:00

This is a follow-up question from a previous post (Defender SmartScreen Blocking Valid EV Code Certificate). Identrust (The EV Certificate provider) is claiming that this is not their fault at all, but rather Microsoft's in that they have not loaded their root certificates correctly. Here's the diagnostics from our certificate (see below). You will note there are "Wrong Issuer" errors in the chain, and this has been this way for over 45 days. So, is anyone else seeing this issue and what can we do about it (other than using another EV cert provider - which we are very open to right now if anyone has a suggestion). We are dead in the water and really could use some expertise!

Issuer:  
    CN=TrustID EV Code Signing CA 3  
    O=IdenTrust  
    C=US  
  Name Hash(sha1): 0873edd6480ff39fb261e4b3df26f285e3b55c7d  
  Name Hash(md5): 750f1c6fba829034a33aa53f460018eb  
Subject:  
    CN=STRASIS SYSTEMS LLC  
    OU=Strasis Systems  
    O=STRASIS SYSTEMS LLC  
    OID.2.5.4.15=Private Organization  
    OID.1.3.6.1.4.1.311.60.2.1.2=Florida  
    OID.1.3.6.1.4.1.311.60.2.1.3=US  
    SERIALNUMBER=L11000091926  
    L=Sanford  
    S=Florida  
    C=US  
  Name Hash(sha1): e3596c17d4931b29ba292711dfa9cc00a1e2280d  
  Name Hash(md5): 3bc34772b10c179dd5ab32f3a4d44efd  
Cert Serial Number: 40017ed631aaaab42e6591a8e3f7d7e3  
  
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)  
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)  
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)  
HCCE_LOCAL_MACHINE  
CERT_CHAIN_POLICY_BASE  
-------- CERT_CHAIN_CONTEXT --------  
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
ChainContext.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds  
  
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
SimpleChain.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds  
  
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0  
  Issuer: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US  
  NotBefore: 2/7/2022 5:58 PM  
  NotAfter: 5/20/2022 5:58 PM  
  Subject: CN=STRASIS SYSTEMS LLC, OU=Strasis Systems, O=STRASIS SYSTEMS LLC, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Florida, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=L11000091926, L=Sanford, S=Florida, C=US  
  Serial: 40017ed631aaaab42e6591a8e3f7d7e3  
  Cert: 1113f8a10f3108806bed15c44e2efba98b52f099  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  Verified "Certificate (0)" Time: 1 b82e9fd70413f7ecd4eddb368de44e75feeebe6c  
    [0.0] http://validation.identrust.com/certs/trustidevcodesigning3.p7c  
  
  Wrong Issuer "Certificate (1)" Time: 1 df717eaa4ad94ec9558499602d48de5fbcf03a25  
    [0.1] http://validation.identrust.com/certs/trustidevcodesigning3.p7c  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (01d6)" Time: 0 86dd0431c1150a4b00d5ca4c500d52d3202208a5  
    [0.0] http://validation.identrust.com/crl/trustidevcodesigning3.crl  
  
  ----------------  Base CRL CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  Verified "OCSP" Time: 0 fdaf3e1ecaf8a043b20a716c13a493147c08e35f  
    [0.0] http://commercial.ocsp.identrust.com  
  
  --------------------------------  
    CRL (null):  
    Issuer: CN=TrustID Code Signing CA 3 OCSP Signer, O=IdenTrust, C=US  
    ThisUpdate: 4/4/2022 11:18 AM  
    NextUpdate: 4/5/2022 11:18 AM  
    CRL: 9747e94dcdb3b0e1a4c697064dc7bd5fbe121916  
  Issuance[0] = 2.23.140.1.3  
  Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing  
  
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0  
  Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
  NotBefore: 8/20/2021 4:20 PM  
  NotAfter: 8/20/2029 4:20 PM  
  Subject: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US  
  Serial: 40017b6539031240c2d47f8e6ca4f5cc  
  Cert: b82e9fd70413f7ecd4eddb368de44e75feeebe6c  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  Wrong Issuer "Certificate (0)" Time: 0 dac9024f54d8f6df94935fb1732638ca6ad77c13  
    [0.0] http://validation.identrust.com/roots/commercialrootca1.p7c  
  
  Verified "Certificate (1)" Time: 0 890ff22a017207912a75c4747623dc65a1eee8d6  
    [0.1] http://validation.identrust.com/roots/commercialrootca1.p7c  
  
  Verified "Certificate (2)" Time: 0 df717eaa4ad94ec9558499602d48de5fbcf03a25  
    [0.2] http://validation.identrust.com/roots/commercialrootca1.p7c  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (7d)" Time: 0 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763  
    [0.0] http://validation.identrust.com/crl/commercialrootca1.crl  
  
  ----------------  Base CRL CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  Verified "OCSP" Time: 0 5dc3c7353a9421ec93122e50796d3ee0b8b5f728  
    [0.0] http://commercial.ocsp.identrust.com  
  
  --------------------------------  
    CRL 7d:  
    Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
    ThisUpdate: 3/30/2022 2:26 PM  
    NextUpdate: 4/29/2022 2:26 PM  
    CRL: 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763  
  Issuance[0] = 2.23.140.1.3  
  Issuance[1] = 2.16.840.1.113839.0.6.14.1  
  Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing  
  
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0  
  Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
  NotBefore: 1/16/2014 2:12 PM  
  NotAfter: 1/16/2034 2:12 PM  
  Subject: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US  
  Serial: 0a0142800000014523c844b500000002  
  Cert: df717eaa4ad94ec9558499602d48de5fbcf03a25  
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)  
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication  
  Application[1] = 1.3.6.1.5.5.7.3.3 Code Signing  
  Application[2] = 1.3.6.1.4.1.311.10.3.12 Document Signing  
  Application[3] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System  
  Application[4] = 1.3.6.1.5.5.7.3.4 Secure Email  
  Application[5] = 1.3.6.1.5.5.7.3.1 Server Authentication  
  Application[6] = 1.3.6.1.5.5.7.3.8 Time Stamping  
  EV[0] = 2.16.840.1.113839.0.6.9  
  EV[1] = 2.23.140.1.1  
  EV[2] = 2.16.840.1.113839.0.6.14.1  
  EV[3] = 2.23.140.1.3  
  
Exclude leaf cert:  
  Chain: 0e1c2395120fa71dff627115edbdf07c74ee229e  
Full chain:  
  Chain: 4c7f915ca5374fab4d8c036365db836600821881  
EV Cert  
------------------------------------  
Verified Issuance Policies:  
    2.23.140.1.3  
Verified Application Policies:  
    1.3.6.1.5.5.7.3.3 Code Signing  
Verified Extended Validation (EV) Policies:  
    2.23.140.1.3  
Extended Validation Certificate  
Cert is an End Entity certificate  
Leaf certificate revocation check passed  
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,926 Reputation points
    2022-04-06T13:47:23.973+00:00

    Hello @Richard Zarr

    If Identrust is part of the Root certificate list of Microsoft it should get updated by the system.

    You can check the current list with:

    Get-Childitem cert:\LocalMachine\root |format-list  
    

    The update operation is regulated through the policy:

    Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication. : Turn off Automatic Root Certificates Update (Set as "Disabled" to allow update).

    You can also check the latest Root Certificate list from Microsoft by running:

    certutil.exe -generateSSTFromWU C:\PS\roots.sst   (this will generate a SST file, which will contain all the current certificates to be updated)  
    

    Then you can sync all the certificates from the .SST file using the next script:

    $sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )  
    $sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root  
    

    If the Identrust does not appear in the SST file, that means that Microsoft have not included that Authority as trusted, and Identrust should get in touch with Microsoft to be included.

    Hope this helps with your query,

    -----------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.