Microsoft updates Trusted Root Certificate Program to reinforce trust in the Internet


At Microsoft, we are continuously working to deliver on our commitment to the security of our customers and their ecosystems. A core component of our strategy to inform Windows users about the safety of the websites, apps and software they’re accessing online is built into the
Microsoft Trusted Root Certificate Program. This program takes root certificates supplied by authorized Certificate Authorities (CAs) around the world and ships them to your device to tell it which programs, apps and websites are trusted by Microsoft.

Our efforts to provide a seamless and secure experience usually take place in the background, but today, we want to tell you about some changes we have made to this program. These crucial modifications will help us better guard against evolving threats affecting websites and the apps ecosystem, but they may impact a small set of customers who have certificates from affected partners.

This past spring, we began engaging with Certificate Authorities (CA) to solicit feedback and talk about upcoming changes to our Trusted Root Certificate Program. Among other things, the changes included more stringent technical and auditing requirements. The final program changes were published in June 2015. Since then, we have been working, directly and through community forums, to help our partners understand and comply with the new program requirements.

Through this effort, we identified a few partners who will no longer participate in the program, either because they have chosen to leave voluntarily or because they will not be in compliance with the new requirements. We’ve published a complete list of Certificate Authorities below that are out of compliance or voluntarily chose to leave the program and will have their roots removed from the Trusted Root CA Store in January 2016. We encourage all owners of digital certificates currently trusted by Microsoft to review the list and take action as necessary.

The certificate-dependent services you manage will be impacted if the certificates you use chain up to a root certificate Microsoft removes from the store. Though the actual screens and text vary depending on which browser a customer is using, here’s what will usually happen:

  • If you use one of these certificates to secure connections to your server over https, when a customer attempts to navigate to your site, that customer will see a message that there is a problem with the security certificate.
  • If you use one of these certificates to sign software, when a customer attempts to install that software on a Windows operating system, Windows will display a warning that the publisher may not be trusted. In either case, the customer may choose to continue.

We strongly encourage all owners of digital certificates currently trusted by Microsoft to review the list here and investigate whether their certificates are associated with any of the roots we will be removing as part of the update. If you use a certificate that was issued by one of these companies, we strongly recommend that you obtain a replacement certificate from another program provider. The list of all providers is located at
https://aka.ms/trustcertpartners.

With Windows 10 we will continue to work hard to provide you with safer experiences you expect from Windows, keeping you in control and helping you do great things.

How to determine your digital certificates

If you are unsure of how to determine the root of your digital certificates, I have included some guidance, by browser, below.  For more information on the program itself, visit
https://aka.ms/rootcert.

Microsoft Edge

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field); the company under “Website Identification” is the company that owns the root.

Internet Explorer

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field).
  3. Click
    View Certificates then Certification Path.
  4. View the certificate name at the top of the Certificate Path.

Chrome

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field).
  3. Click
    Connection then Certificate Information.
  4. Click
    Certification Path.
  5. View the certificate name at the top of the Certificate Path.

Firefox

  1. Navigate to a web page that uses your certificate.
  2. Click the
    Lock icon (in the web address field) then click the arrow on the right.
  3. Click
    More Information then View Certificate.
  4. Click
    Details.
  5. View the certificate name at the top of the Certificate Path.

Aaron Kornblum
Enterprise & Security Group Program Manager, Governance, Risk Management & Compliance


Comments (5)

  1. Jiri Synek says:

    Wrong move IMO…

    1. Frank Owen says:

      Jiri: What is your thought process on thinking this is the wrong move? Other then scrapping the Trusted Root CA system altogether (not realistic today) this is a good first step.

  2. A. Smit says:

    badly communicated. to late also

  3. adwbust says:

    does mse use the local trust store when checking a signed PE file during a scan? when internet is available, it should use a remote trust store or when mse accesses the local trust store, windows should first check if it’s up to date. do the same when IE or edge checks a downloaded file that is signed.

    i hate the windows defender and system endpoint tray icon. it should be a shield with a letter D or shield inside a box/square window which is new windows logo. green when active. orange when a detection requires attention. red when disabled, broken, tampered or outdated.

  4. this is helpfully fOr me

Skip to main content