Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
On Tuesday, May 27, 2025, Microsoft released an update to the Microsoft Trusted Root Certificate Program.
This release will add the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):
- Secom // SECOM SMIME RSA Root CA 2024 // 90a5e1bdc53f6908c2e3739fe755e37f75f38447
- Secom // SECOM TLS ECC Root CA 2024 // 7a1f222d72b2c3198744db6169e8a64bd70d440e
- Secom // SECOM TLS RSA Root CA 2024 // fb97967cef8d986306c03bb611f8e01397a298d3
- Government of Japan, Digital Agency// Japanese Government Root CA // 4dcf7d1b9b2608ed2c96b66b29610fcee76ac7f4
This release will add Timestamping to the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):
- Secom // SECOM Document Signing RSA Root CA 2023 // FDD93B294972BA743A0C2E6ABCFA10050652A047
This release will add EV CodeSign following roots (CA \ Root Certificate \ SHA-1 Thumbprint):
- GlobalSign // GlobalSign Code Signing Root E45 // 79AA505EDD09B321E36D57910A5DF5A9FB85CC57
Certificate Transparency Log Monitor (CTLM) policy
The Certificate Transparency Log Monitor (CTLM) policy is now included in the monthly Windows CTL. It's a list of publicly trusted logging servers that is for validating certificate transparency on Windows. The list of logging servers is expected to change over time as they're retired or replaced, and this list reflects the CT logging servers that Microsoft trusts. In the upcoming Windows release, users are able to opt in to certificate transparency validation, which checks for the presence of two Signed Certificate Timestamps (SCTs) from different logging servers in the CTLM. This functionality is currently being tested with event logging only to ensure it's reliable before individual applications can opt in to enforcement.
Note
- As part of this release, Microsoft also updated the Untrusted CTL time stamp and sequence number. No changes were made to the contents of the Untrusted CTL but this update causes your system to download/refresh the Untrusted CTL. This update is normal and sometimes occurs when the Trusted Root CTL is updated.
- The update package is available for download and testing at: https://aka.ms/CTLDownload
- Signatures on the Certificate Trust Lists (CTLs) for the Microsoft Trusted Root Program changed from dual-signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. For more information, please visit: https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus