October 2019 Deployment Notice (11/October) - Microsoft Trusted Root Program

  • Article

On Tuesday, November 5th, 2019, Microsoft will release an update to the Microsoft Trusted Root Certificate Program.

This release will NotBefore the following root (Root Certificate \ SHA-1 Thumbprint):

  1. GPKI ApplicationCA2 Root \ F00FC37D6A1C9261FB6BC1C218498C5AA4DC51FB

This release will NotBefore the OCSP EKU in the following roots:

  1. Certigna \ B12E13634586A46F1AB2606837582DC4ACFD9497
  2. CFCA EV ROOT \ E2B8294B5584AB6B58C290466CAC3FB8398F8483
  3. China Financial CA \ EABDA240440ABBD694930A01D09764C6C2D77966
  4. PostSignum Root QCA 4 \ AA40D2579BA82424CD27719B1D6B1F3571738099
  5. Entrust Root Certification Authority - G4 \ 14884E862637B026AF59625C4077EC3529BA9601
  6. Google Trust Services - GlobalSign Root CA-R2 \ 75E0ABB6138512271C04F85FDDDE38E4B7242EFE
  7. GlobalSign Root CA - R1 \ B1BC968BD4F49D622AA89A81F2150152A41D829C
  8. GlobalSign Root CA - R6 \ 8094640EB5A7A1CA119C1FDDD59F810263A7FBD1
  9. Austrian Society for Data Protection GLOBALTRUST Certification Service \ 342CD9D3062DA48C346965297F081EBC2EF68FDC
  10. Netrust CA1 \ 55C86F7414AC8BDD6814F4D86AF15F3710E104D0
  11. SECOM Trust Systems CO LTD \ 36B12B49F9819ED74C9EBC380FC6568F5DACB2F7
  12. Trustwave \ B80186D1EB9C86A54104CF3054F34C52B7E558C6
  13. T-TeleSec Global Root Class 3 \ 55A6723ECBF2ECCDC3237470199D2ABE11E381D1
  14. ZETES TSP ROOT CA 001 \ 3753D295FC6d8BC39B375650BFFC821AED504E1A
  15. Hongkong Post Root CA 1 \ D6DAA8208D09D2154D24B52FCB346EB258B28A58
  16. Hongkong Post Root CA 3 \ 58A2D0EC2052815BC1F3F86402244EC28E024B02
  17. Izenpe.com \ 30779E9315022E94856A3FF8BCF815B082F9AEFD

This release will NotBefore the code signing EKU in the following roots:

  1. TW Government Root Certification Authority \ F48B11BFDEABBE94542071E641DE6BBE882B40B9
  2. TW Government Root Certification Authority 2 \ B091AA913847F313D727BCEFC8179F086F3A8C0F
  3. SwissSign Platinum G2 Root CA \ 56E0FAC03B8F18235518E5D311CAE8C24331AB66
  4. OISTE WISeKey Global Root GC CA \ E011845E34DEBE8881B99CF61626D1961FC3B931
  5. OISTE WISeKey Global Root GB CA \ 0FF9407618D3D76A4B98F0A8359E0CFD27ACCCED
  6. OISTE WISeKey Global Root GA CA \ 5922A1E15AEA163521F898396A4646B0441B0FA9
  7. LuxTrust Global Root 2 \ 1E0E56190AD18B2598B20444FF668A0417995F3F
  8. CCVRAIZ1 \ 93057A8815C64FCE882FFA9116522878BC536417

This release will NotBefore the server authentication EKU in the following roots:

  1. Chambers of Commerce Root \ 6E3A55A4190C195C93843CC0DB722E313061F0B1
  2. Chambersign Global Root \ 339B6B1450249B557A01877284D9E02FC3D2D8E9

This release will add the following roots:

  1. A-Trust-Root-07 \ 1B1815AF925D140EFC5AF9A1AA55EEBB4FFBC561
  2. AC RAIZ FNMT-RCM SERVIDORES SEGUROS \ 62FFD99EC0650D03CE7593D2ED3F2D32C9E3E54A

Note

  • Windows 10 allows us to stop trusting roots or EKU's using the "NotBefore" or "Disable" properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.
  • The NotBefore and Disable dates are set for the first day of the release month. This means that all certificates issued after May 1st will be affected.
  • The update package will be available for download and testing at: https://aka.ms/CTLDownload