Starting on January 2016, Microsoft’s Trusted Root Certificate Program will no longer include twenty currently trusted CAs and will remove their root certificates removed from the Trusted Root CA Store.
The list looks like this (click on the screenshot to enlarge it):
“This past spring, we began engaging with Certificate Authorities (CA) to solicit feedback and talk about upcoming changes to our Trusted Root Certificate Program. Among other things, the changes included more stringent technical and auditing requirements,” Microsoft enterprise and security group program manager Aaron Kornblum explained.
The company has been working with CAs to helpt them adjust to the new program prerequisites, but the CAs on the aforementioned list either would not or could not comply with the new requirements.
What does this mean for customers who got their certificates from those CAs?
“If you use one of these certificates to secure connections to your server over https, when a customer attempts to navigate to your site, that customer will see a message that there is a problem with the security certificate,” says Kornblum.
“If you use one of these certificates to sign software, when a customer attempts to install that software on a Windows operating system, Windows will display a warning that the publisher may not be trusted. In either case, the customer may choose to continue.”
Microsoft advises these customers to get a replacement certificate from another CA (one that will still be trusted).