Connect with us

Hi, what are you looking for?


Security Architecture

Microsoft Removes Trust in Root Certificates From CAs

Microsoft on Thursday announced that it plans on removing trust on root certificates issued by 11 Certificate Authorities (CAs) in January 2016.

Microsoft on Thursday announced that it plans on removing trust on root certificates issued by 11 Certificate Authorities (CAs) in January 2016.

The tech giant explains in a recent blog post that the revoked trust is a consequence of a series of changes to its Trusted Root Certificate Program, which includes more stringent technical and auditing requirements. The company also said that some of the CAs decided to voluntarily leave the program, while others are out of compliance, which results in their root certificates being removed from the Trusted Root CA Store.

The list of CAs to be removed next month includes Certigna, Ceska Posta, CyberTrust, DanID, E-Certchile, e-Tugra, LuxTrust, Nova Ljubljanska, Post.Trust, Secom, and Wells Fargo. A total of 20 certificates will be removed from the Trusted Root CA Store, in an attempt to make the Internet and applications running on users’ devices more trustworthy.

The idea behind the Microsoft Trusted Root Certificate Program was to ensure that devices can determine which programs, apps and websites are trusted by Microsoft. The company explains that this effort usually takes place in the background, meaning no specific user action is required.

The changes made to the program this year were aimed at providing better protection against evolving threats affecting websites and the apps ecosystem. The removal of the said root certificates is one step in this direction, and is expected to impact only a small number of customers, namely those who own certificates issued by one of the aforementioned 11 CAs.

Owners of digital certificates currently trusted by Microsoft are encouraged to have a close look at the list to take action where necessary. Provided that the services these customers manage depend on one of the certificates that Microsoft is about to remove, services are expected to be impacted, the company notes.

If one of these certificates is used to secure connections to a server over https, users will receive a message that there is an issue with the security certificate when trying to navigate to the website. If the certificate is used to sign software, Windows will inform users that the publisher may not be trusted when trying to install the software. Users will be provided with the option to continue in both cases.

Advertisement. Scroll to continue reading.

“We strongly encourage all owners of digital certificates currently trusted by Microsoft to review the below list and investigate whether their certificates are associated with any of the roots we will be removing as part of the update. If you use a certificate that was issued by one of these companies, we strongly recommend that you obtain a replacement certificate from another program provider,” the tech company notes.

The complete list of providers is available on Microsoft’s TechNet website. The root of digital certificates can be easily determined directly from the browser, after navigating to the desired webpage.

On Microsoft Edge, users should click the Lock icon in the web address field and can view the company that owns the root under “Website Identification.” In Internet Explorer, users should click the Lock icon > View Certificates > Certification Path, which displays the certificate name at the top. In Chrome, users can click Lock icon > Connection > Certificate Information > Certification Path, while in Firefox they should go to Lock icon > More Information > View Certificate > Click Details.

Last month, a piece of malicious adware dubbed “Vonteera” was found to be tricking the operating system into adding digital certificates from security companies to an untrusted list. Also in November, it was discovered that computer maker Dell had preloaded devices with a self-signed root certificate which was deemed to pose serious security and privacy risks.

Last week, Google announced that it would remove a Symantec root certificate from Chrome, Android and other products over the coming weeks in an effort to protect its customers, after Simantec announced on Dec. 1 that it had discontinued the VeriSign G1 root certificate, used to issue public code signing and TLS/SSL certificates.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption