May 2019 Deployment Notice (1/May) - Microsoft Trusted Root Program

On Tuesday, May 28th, 2019, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.

This release will modify the EV OID for the following roots (Root Certificate \ SHA-1 Thumbprint):

  1. Hongkong Post Root CA 3 \ 58A2D0EC2052815BC1F3F86402244EC28E024B02
  2. IdenTrust Commercial Root CA 1 \ DF717EAA4AD94EC9558499602D48DE5FBCF03A25

This release will NotBefore the server authentication EKU in the following roots, per the Windows Security Blog:

  1. VeriSign Universal Root Certification Authority \ 3679CA35668772304D30A5FB873B0FA77BB70D54
  2. thawte Primary Root CA-G3 \ F18B538D1BE903B6A6F056435B171589CAF36BF2
  3. GeoTrust Primary Certification Authority-G3 \ 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
  4. GeoTrust \ 323C118E1BF7B8B65254E2E2100DD6029037F096
  5. thawte \ 91C6D6EE3E8AC86384E548C299295C756C817B81
  6. VeriSign \ 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
  7. VeriSign \ 132D0D45534B6997CDB2D5C339E25576609B5CC6

Note

  • Windows 10 allows us to stop trusting roots or EKU's using the "NotBefore" or "Disable" properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.
  • The NotBefore and Disable dates are set for the first day of the release month. This means that all certificates issued after May 1st will be affected.
  • The update package will be available for download and testing at: https://aka.ms/CTLDownload