June 2019 Deployment Notice (5/June) - Microsoft Trusted Root Program
On Tuesday, July 2nd, 2019, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.
This release will disable the following roots (Root Certificate \ SHA-1 Thumbprint):
- CertPlus Class 3P Primary CA \ 216B2A29E62A00CE820146D8244141B92511B279
- CertPlus Class 3 Primary CA \ D2EDF88B41B6FE01461D6E2834EC7C8F6C77721E
- CertPlus Class 3TS Primary CA \ F44095C238AC73FC4F77BF8F98DF70F8F091BC52
This release will NotBefore the following root:
- ePKI Root Certification Authority - G2 \ 81AC5DE150D1B8DE5D3E0E266A136B737862D322
This release will NotBefore the code signing EKU in the following roots:
- certSIGN Root CA \ FAB7EE36972662FB2DB02AF6BF03FDE87C4B2F9B
- CAROOT Firmaprofesional \ AEC5FB3FC8E1BFC4E54F03075A9AE800B7F7B6FA
This release will NotBefore the code signing and the server authenication EKUs in the following root:
- Cisco Systems \ DE990CED99E0431F60EDC3937E7CD5BF0ED9E5FA
This release will modify the EV OIDs in the following roots:
- SSL.com EV Root Certification Authority ECC \ 4CDD51A3D1F5203214B0C6C532230391C746426D
- SSL.com EV Root Certification Authority RSA R2 \ 43AF0529BD032A0F44A83CDD4BAA97B7C2EC49A
This release will modify the EV OIDs and add the time-stamping EKU in the following roots:
- Trustwave Global ECC P256 Certification Authority \ B49082DD450CBE8B5BB166D3E2A40826CDED42CF
- Trustwave Global Certification Authority \ 2F8F364FE1589744215987A52A9AD06995267FB5
- Trustwave Global ECC P384 Certification Authority \ E7F3A3C8CF6FC3042E6D0E6732C59E68950D5ED2
This release will remove the server authentication EKU in the following roots:
- OpenTrust Root CA G1 \ 7991E834F7E2EEDD08950152E9552D14E958D57E
- OpenTrust Root CA G2 \ 795F8860C5AB7C3D92E6CBF48DE145CD11EF600B
- OpenTrust Root CA G3 \ 6E2664F356BF3455BFD1933F7C01DED813DA8AA6
- Certplus Root CA G1 \ 22FDD0B7FDA24E0DAC492CA0ACA67B6A1FE3F766
- Certplus Root CA G2 \ 4F658E1FE906D82802E9544741C954255D69CC1A
Note
- Windows 10 allows us to stop trusting roots or EKU's using the "NotBefore" or "Disable" properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.
- The NotBefore and Disable dates are set for the first day of the release month. This means that all certificates issued after May 1st will be affected.
- The update package will be available for download and testing at: https://aka.ms/CTLDownload
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for