April 2020 Deployment Notice for Microsoft Trusted Root Program
On Tuesday, April 28th, 2020, Microsoft will release a planned update to the Microsoft Trusted Root Certificate Program.
This release will remove the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):
- Microsoft Corporation \ Microsoft ECC Root Certificate Authority 2017 \ 7CA9013D43721551E987380B3EAE4B442DC037EA
- Microsoft Corporation \ Microsoft RSA Root Certificate Authority 2017 \ EE68C3E94AB5D55EB9395116424E25B0CADD9009
- Microsoft Corporation \ Microsoft EV ECC Root Certificate Authority 2017 \ B8095F5A89FB47A7017ED794DD4F611E27830E27
- Microsoft Corporation \ Microsoft EV RSA Root Certificate Authority 2017 \ 3AD38A39CE4E88DCDF46995E969FC339D0799858
This release will remove the NotBefore status of the following roots:
- DocuSign (OpenTrust/Keynectis)\ OpenTrust Root CA G1 \ 7991E834F7E2EEDD08950152E9552D14E958D57E
Note
- Windows 10 allows us to stop trusting roots or EKU's using the "NotBefore" or "Disable" properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.
- The NotBefore and Disable dates are set for the first day of the release month. This means that all certificates issued after April 1st will be affected.
- The update package will be available for download and testing at: https://aka.ms/CTLDownload
- Signatures on the Certificate Trust Lists (CTLs) for the Microsoft Trusted Root Program changed from dual-signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. For more information, please visit: https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus