New CA application - Microsoft Trusted Root Program

At this time, the Microsoft Trusted Root Program is not accepting new CAs into the program. Please check back at a later time for updates on new CA applications and acceptances.

1. Introduction

This page describes the general application process to become a new certificate authority in the Microsoft Trusted Root Program, and will continually updated with the latest information.

2. Certificate Authority Intake Process

  1. An applicant CA must fill out the application and email the completed form to [msroot@microsoft.com]. This will add the CA to a queue of applications that will be reviewed in order of initial application time. Please note that, as stated above, we are currently not accepting new CAs to our program. In the future, when we begin accepting new CAs, the application will be linked here.

  2. Once the CA has reached the head of queue, Microsoft will review the application, and may request additional documentation from the CA to determine if the CA meets the Program requirements and whether, in Microsoft's judgment, the CA's inclusion into the program will benefit Microsoft's customers. Microsoft will complete vetting of the CA and its related businesses at this time which will, at a minimum, include review of:

    • Management
    • Operations
    • Beneficial Ownership Screening
    • State-Owned Entity review
    • Other due diligence as appropriate
  3. Microsoft will review the provided Certificate Policy/Certification Practices Statement (CP/CPS) documentation and may provide feedback. If feedback is provided, the provided documentation must be updated and resubmitted.

  4. Microsoft may grant preliminary approval to the CA, along with a deadline by which all remaining work and requested documentation must be completed and submitted for review. If a CA is not given preliminary approval, no additional action will be taken by the CA. The CA will be informed of this decision by email.

  5. Upon receipt of preliminary approval from Microsoft, the CA will need to engage an auditor to complete the necessary audits if not yet provided. See https://aka.ms/auditreqs for more information about the Program's audit requirements.

    • If the CA has the necessary audits completed at the time of the initial application, they may provide them at that time.
    • If the CA has provided their audits at the start of the application process and substantial changes were made the CP/CPS documentation during the process, Microsoft may require that the CA provides an updated audit statement.
  6. When all of the above steps are completed and if the application is approved, Microsoft will send a copy of the contract required of all CAs to sign before joining the program. CAs will need to provide:

    • The name, email address, phone number, and job title of the person who will sign the Program contract
    • A second contact's name, email address, and phone number.
    • The company's principal place of business (street address).
    • The company's place of incorporation (country or state/province).

The program contract will be sent via Docusign for the CA to sign and return to Microsoft.

  1. Upon receipt of the completed contract, Microsoft will add the CA to an upcoming update to our Certificate Trust List. Microsoft will add the CA and contacts to the CCADB and the CA will need to follow the instructions found on https://www.ccadb.org/cas/updates to provide their Qualifying Audit Attestation.

Note

  • Microsoft will determine at its sole discretion which CA certificates are included the Program.
  • Microsoft will not charge any fee for including a CA's certificates in the Program.
  • Microsoft reserves the right to not include a CA into the Program for any reason or no reason at all.