February 2024 Deployment Notice - Microsoft Trusted Root Program

  • Article

On February 27, 2024, Microsoft released an update to the Microsoft Trusted Root Certificate Program.

This release will Disable the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

  1. China Financial Certification Authority (CFCA) // CFCA_root1 // EABDA240440ABBD694930A01D09764C6C2D77966
  2. DATEV eG // CA DATEV INT 03 // 924AEA47F73CB690565E552CFCC6E8D63EEE4242
  3. DATEV eG // CA DATEV STD 03 // 27EED22AFD58A2C64A855E3680AF898BF36CE503
  4. DATEV eG // CA DATEV BT 03 // 3DB66DFEBEB6712889E7C098B32805896B6218CC
  5. DigiCert // Symantec Class 3 Public Primary Certification Authority - G6 // 26A16C235A2472229B23628025BC8097C88524A1
  6. DigiCert // GeoTrust Primary Certification Authority // 323C118E1BF7B8B65254E2E2100DD6029037F096
  7. DigiCert // VeriSign Class 3 Public Primary Certification Authority - G3 // 132D0D45534B6997CDB2D5C339E25576609B5CC6
  8. DigiCert // Thawte Primary Root CA - G3 // F18B538D1BE903B6A6F056435B171589CAF36BF2
  9. DigiCert // GeoTrust Primary Certification Authority - G3 // 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
  10. DigiCert // Thawte Primary Root CA - G2 // AADBBC22238FC401A127BB38DDF41DDB089EF012
  11. DigiCert // GeoTrust Primary Certification Authority - G2 // 8D1784D537F3037DEC70FE578B519A99E610D7B0
  12. e-tugra // E-Tugra Certification Authority // 51C6E70849066EF392D45CA00D6DA3628FC35239
  13. Government of Hong Kong (SAR), Hongkong Post, Certizen // Hongkong Post Root CA 1 // D6DAA8208D09D2154D24B52FCB346EB258B28A58
  14. IZENPE S.A. // Izenpe.com // 30779E9315022E94856A3FF8BCF815B082F9AEFD
  15. Krajowa Izba Rozliczeniowa S.A. (KIR) // SZAFIR ROOT CA // D3EEFBCBBCF49867838626E23BB59CA01E305DB7

This release will NotBefore the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

  1. AC Camerfirma, S.A. // Chambers of Commerce Root // 6E3A55A4190C195C93843CC0DB722E313061F0B1
  2. Nets DanID // TRUST2408 OCES Primary CA // 5CFB1F5DB732E4084C0DD4978574E0CBC093BEB3

This release will NotBefore the Server Authentication EKU for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

  1. AC Camerfirma, S.A. // Chambers of Commerce Root - 2008 // 786A74AC76AB147F9C6A3050BA9EA87EFE9ACE3C
  2. AC Camerfirma, S.A. // CHAMBERS OF COMMERCE ROOT - 2016 // 2DE16A5677BACA39E1D68C30DCB14ABE22A6179B
  3. AC Camerfirma, S.A. // Global Chambersign Root - 2008 // 4ABDEEEC950D359C89AEC752A12C5B29F6D6AA0C
  4. AC Camerfirma, S.A. // GLOBAL CHAMBERSIGN ROOT - 2016 // 1139A49E8484AAF2D90D985EC4741A65DD5D94E2

This release will Remove the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

  1. Deutsche Telekom Security GmbH // Deutsche Telekom Root CA 2 // 85A408C09C193E5D51587DCDD61330FD8CDE37BF
  2. Netrust Pte Ltd // Netrust_NetrustCA1 // 55C86F7414AC8BDD6814F4D86AF15F3710E104D0
  3. Sectigo // UTN-USERFirst-Client Authentication and Email // B172B1A56D95F91FE50287E14D37EA6A4463768A
  4. TurkTrust // TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 // C418F64D46D1DF003D2730137243A91211C675FB
  5. Visa // Visa eCommerce Root // 70179B868C00A4FA609152223F9F3E32BDE00562

Certificate Transparency Log Monitor (CTLM) policy
The Certificate Transparency Log Monitor (CTLM) policy is now included in the monthly Windows CTL. It is a list of publicly trusted logging servers that will be used for validating certificate transparency on Windows. The list of logging servers is expected to change over time as they're retired or replaced, and this list reflects the CT logging servers that Microsoft trusts. In the upcoming Windows release, users are able to opt in to certificate transparency validation, which will check for the presence of two Signed Certificate Timestamps (SCTs) from different logging servers in the CTLM. This functionality is currently being tested with event logging only to ensure it is reliable before individual applications can opt in to enforcement.

Note

  • As part of this release, Microsoft also updated the Untrusted CTL time stamp and sequence number. No changes were made to the contents of the Untrusted CTL but this will cause your system to download/refresh the Untrusted CTL. This is a normal update that is sometimes done when the Trusted Root CTL is updated.
  • The update package will be available for download and testing at: https://aka.ms/CTLDownload
  • Signatures on the Certificate Trust Lists (CTLs) for the Microsoft Trusted Root Program changed from dual-signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. For more information, please visit: https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus