question

RichardZarr-7482 avatar image
0 Votes"
RichardZarr-7482 asked GaryReynolds commented

Identrust EV Certificate Roots Not Loaded By Microsoft

This is a follow-up question from a previous post (Defender SmartScreen Blocking Valid EV Code Certificate). Identrust (The EV Certificate provider) is claiming that this is not their fault at all, but rather Microsoft's in that they have not loaded their root certificates correctly. Here's the diagnostics from our certificate (see below). You will note there are "Wrong Issuer" errors in the chain, and this has been this way for over 45 days. So, is anyone else seeing this issue and what can we do about it (other than using another EV cert provider - which we are very open to right now if anyone has a suggestion). We are dead in the water and really could use some expertise!

 Issuer:
     CN=TrustID EV Code Signing CA 3
     O=IdenTrust
     C=US
   Name Hash(sha1): 0873edd6480ff39fb261e4b3df26f285e3b55c7d
   Name Hash(md5): 750f1c6fba829034a33aa53f460018eb
 Subject:
     CN=STRASIS SYSTEMS LLC
     OU=Strasis Systems
     O=STRASIS SYSTEMS LLC
     OID.2.5.4.15=Private Organization
     OID.1.3.6.1.4.1.311.60.2.1.2=Florida
     OID.1.3.6.1.4.1.311.60.2.1.3=US
     SERIALNUMBER=L11000091926
     L=Sanford
     S=Florida
     C=US
   Name Hash(sha1): e3596c17d4931b29ba292711dfa9cc00a1e2280d
   Name Hash(md5): 3bc34772b10c179dd5ab32f3a4d44efd
 Cert Serial Number: 40017ed631aaaab42e6591a8e3f7d7e3
    
 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
 dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
 ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
 HCCE_LOCAL_MACHINE
 CERT_CHAIN_POLICY_BASE
 -------- CERT_CHAIN_CONTEXT --------
 ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 ChainContext.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds
    
 SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
 SimpleChain.dwRevocationFreshnessTime: 4 Days, 21 Hours, 34 Minutes, 8 Seconds
    
 CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
   Issuer: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US
   NotBefore: 2/7/2022 5:58 PM
   NotAfter: 5/20/2022 5:58 PM
   Subject: CN=STRASIS SYSTEMS LLC, OU=Strasis Systems, O=STRASIS SYSTEMS LLC, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Florida, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=L11000091926, L=Sanford, S=Florida, C=US
   Serial: 40017ed631aaaab42e6591a8e3f7d7e3
   Cert: 1113f8a10f3108806bed15c44e2efba98b52f099
   Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   ----------------  Certificate AIA  ----------------
   Verified "Certificate (0)" Time: 1 b82e9fd70413f7ecd4eddb368de44e75feeebe6c
     [0.0] http://validation.identrust.com/certs/trustidevcodesigning3.p7c
    
   Wrong Issuer "Certificate (1)" Time: 1 df717eaa4ad94ec9558499602d48de5fbcf03a25
     [0.1] http://validation.identrust.com/certs/trustidevcodesigning3.p7c
    
   ----------------  Certificate CDP  ----------------
   Verified "Base CRL (01d6)" Time: 0 86dd0431c1150a4b00d5ca4c500d52d3202208a5
     [0.0] http://validation.identrust.com/crl/trustidevcodesigning3.crl
    
   ----------------  Base CRL CDP  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate OCSP  ----------------
   Verified "OCSP" Time: 0 fdaf3e1ecaf8a043b20a716c13a493147c08e35f
     [0.0] http://commercial.ocsp.identrust.com
    
   --------------------------------
     CRL (null):
     Issuer: CN=TrustID Code Signing CA 3 OCSP Signer, O=IdenTrust, C=US
     ThisUpdate: 4/4/2022 11:18 AM
     NextUpdate: 4/5/2022 11:18 AM
     CRL: 9747e94dcdb3b0e1a4c697064dc7bd5fbe121916
   Issuance[0] = 2.23.140.1.3
   Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing
    
 CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
   Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
   NotBefore: 8/20/2021 4:20 PM
   NotAfter: 8/20/2029 4:20 PM
   Subject: CN=TrustID EV Code Signing CA 3, O=IdenTrust, C=US
   Serial: 40017b6539031240c2d47f8e6ca4f5cc
   Cert: b82e9fd70413f7ecd4eddb368de44e75feeebe6c
   Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   ----------------  Certificate AIA  ----------------
   Wrong Issuer "Certificate (0)" Time: 0 dac9024f54d8f6df94935fb1732638ca6ad77c13
     [0.0] http://validation.identrust.com/roots/commercialrootca1.p7c
    
   Verified "Certificate (1)" Time: 0 890ff22a017207912a75c4747623dc65a1eee8d6
     [0.1] http://validation.identrust.com/roots/commercialrootca1.p7c
    
   Verified "Certificate (2)" Time: 0 df717eaa4ad94ec9558499602d48de5fbcf03a25
     [0.2] http://validation.identrust.com/roots/commercialrootca1.p7c
    
   ----------------  Certificate CDP  ----------------
   Verified "Base CRL (7d)" Time: 0 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763
     [0.0] http://validation.identrust.com/crl/commercialrootca1.crl
    
   ----------------  Base CRL CDP  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate OCSP  ----------------
   Verified "OCSP" Time: 0 5dc3c7353a9421ec93122e50796d3ee0b8b5f728
     [0.0] http://commercial.ocsp.identrust.com
    
   --------------------------------
     CRL 7d:
     Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
     ThisUpdate: 3/30/2022 2:26 PM
     NextUpdate: 4/29/2022 2:26 PM
     CRL: 6f30f4fbb91a9f87fb34a5c9e7f63c5fec94c763
   Issuance[0] = 2.23.140.1.3
   Issuance[1] = 2.16.840.1.113839.0.6.14.1
   Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing
    
 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
   Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
   NotBefore: 1/16/2014 2:12 PM
   NotAfter: 1/16/2034 2:12 PM
   Subject: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
   Serial: 0a0142800000014523c844b500000002
   Cert: df717eaa4ad94ec9558499602d48de5fbcf03a25
   Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
   Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
   Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
   ----------------  Certificate AIA  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate CDP  ----------------
   No URLs "None" Time: 0 (null)
   ----------------  Certificate OCSP  ----------------
   No URLs "None" Time: 0 (null)
   --------------------------------
   Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
   Application[1] = 1.3.6.1.5.5.7.3.3 Code Signing
   Application[2] = 1.3.6.1.4.1.311.10.3.12 Document Signing
   Application[3] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
   Application[4] = 1.3.6.1.5.5.7.3.4 Secure Email
   Application[5] = 1.3.6.1.5.5.7.3.1 Server Authentication
   Application[6] = 1.3.6.1.5.5.7.3.8 Time Stamping
   EV[0] = 2.16.840.1.113839.0.6.9
   EV[1] = 2.23.140.1.1
   EV[2] = 2.16.840.1.113839.0.6.14.1
   EV[3] = 2.23.140.1.3
    
 Exclude leaf cert:
   Chain: 0e1c2395120fa71dff627115edbdf07c74ee229e
 Full chain:
   Chain: 4c7f915ca5374fab4d8c036365db836600821881
 EV Cert
 ------------------------------------
 Verified Issuance Policies:
     2.23.140.1.3
 Verified Application Policies:
     1.3.6.1.5.5.7.3.3 Code Signing
 Verified Extended Validation (EV) Policies:
     2.23.140.1.3
 Extended Validation Certificate
 Cert is an End Entity certificate
 Leaf certificate revocation check passed



windows-10-securitywindows-server-security
· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichardZarr-7482 avatar image RichardZarr-7482 ·

We have had a request from Gary Renolds to post a PEM version of the certificate. I cannot see his comments here, but on his page I see that he commented and there is 1 answer - but it does not show here. Can someone explain this?

0 Votes 0 ·
GaryReynolds avatar image GaryReynolds RichardZarr-7482 ·

I deleted my comment as I was able to get a sample cert from the indentrust website and reproduce the error. I assume that someone else added a comment and deleted as well, unless the system counts my deletion as an answer.

As for your issue, sorry I ran out of stream last night track back through the various AIAs and CRLs to understand the wrong issuer error. Did indentrust provide any details on what Microsoft had implemented incorrectly, I'm assuming that they have escalated this to Microsoft!

Gary.

0 Votes 0 ·
RichardZarr-7482 avatar image RichardZarr-7482 GaryReynolds ·

Identrust says, "Your certificate is failing because it is checking against Microsoft’s root store, which does not have the updated EV code signing root in it. We are still waiting and trying to get an update about when that will get added so they will test/function properly in Microsoft’s systems". We've been unable to publish with out receiving browser warnings and SmartScreen warnings since they re-issued our cert due to some "root issue" where they were forced to re-issue ALL EV Code Signing Certificates in 5 days. We had no warning and have been trying to figure this out for almost 2 months!!

0 Votes 0 ·
Show more comments

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered LimitlessTechnology-2700 published

Hello @RichardZarr-7482

If Identrust is part of the Root certificate list of Microsoft it should get updated by the system.

You can check the current list with:

 Get-Childitem cert:\LocalMachine\root |format-list

The update operation is regulated through the policy:

Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication. : Turn off Automatic Root Certificates Update (Set as "Disabled" to allow update).

You can also check the latest Root Certificate list from Microsoft by running:

 certutil.exe -generateSSTFromWU C:\PS\roots.sst   (this will generate a SST file, which will contain all the current certificates to be updated)

Then you can sync all the certificates from the .SST file using the next script:

 $sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )
 $sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

If the Identrust does not appear in the SST file, that means that Microsoft have not included that Authority as trusted, and Identrust should get in touch with Microsoft to be included.

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.