May 2010 Root Update - new CAs and new root certificates - TechNet Articles - United States (English)

Updated November 1, 2010 (this post documents an earlier root update completed in May).

Return to Root CA Members Page

Microsoft welcomes two new certification authorities (CAs) to the Windows Root Certificate Program this month. We have also added a number of new root certificates from existing CAs.

NEW CAs Microsoft welcomes the following two new CAs to the Program -

AffirmTrust is a CA issuing primarily to members of the public located in the U.S.

Česká pošta, or the Czech Post, also known as PostSignum, is a CA operated by the government of the Czech Republic issuing primarily to members of the public located in the Czech Republic.

CA Name	Country	Type	CA Root Name	CA Root Size	Signature Hash	CA Root Expires	Thumbprint (click to download certificate from Windows Update)
AffirmTrust	USA	NEW/EV	AffirmTrust Commercial	2048	SHA-256	Tuesday, ‎December ‎31, ‎2030 7:06:06 AM	f9 b5 b6 32 45 5f 9c be ec 57 5f 80 dc e9 6e 2c c7 b2 78 b7
AffirmTrust	USA	NEW/EV	AffirmTrust Networking	2048	SHA-1	‎Tuesday, ‎December ‎31, ‎2030 7:08:24 AM	29 36 21 02 8b 20 ed 02 f5 66 c5 32 d1 d6 ed 90 9f 45 00 2f
AffirmTrust	USA	NEW/EV	AffirmTrust Premium	4096	SHA-384	‎Monday, ‎December ‎31, ‎2040 7:10:36 AM	d8 a6 33 2c e0 03 6f b1 85 f6 63 4f 7d 6a 06 65 26 32 28 27
Česká pošta (Czech Post, PostSignum)	Czech Republic	NEW	PostSignum Root QCA 2	2048	SHA-256	‎Sunday, ‎January ‎19, ‎2025 1:04:31 AM	a0 f8 db 3f 0b f4 17 69 3b 28 2e b7 4a 6a d8 6d f9 d4 48 a3

NEW ROOT CERTIFICATES AND CERTIFICATE ATTRIBUTES Microsoft also adds fifteen new root certificates for existing member CAs. The root certificates for GlobalSign, TC TrustCenter and Unizeto Certum are enabled to support the issuance of Extended Validation (EV) SSL certificates.

Name	Country	Type	CA Root Name	CA Root Size	Signature Hash	CA Root Expires	Thumbprint (click to download certificate from Windows Update)
Colegio de Registradores Mercantile (Spanish Property & Commerce Registry)	Spain		Registradores de España - CA Raíz	4096	SHA-1	‎Thursday, ‎January ‎09, ‎2031 10:00:39 AM	‎21 11 65 ca 37 9f bb 5e d8 01 e3 1c 43 0a 62 aa c1 09 bc b4
GlobalSign	USA	EV	GlobalSign Root CA R3	2048	SHA-256	‎Sunday, ‎March ‎18, ‎2029 3:00:00 AM	d6 9b 56 11 48 f0 1c 77 c5 45 78 c1 09 26 df 5b 85 69 76 ad
GoDaddy	USA		Go Daddy Root Certificate Authority – G2	2048	SHA-256	‎Thursday, ‎December ‎31, ‎2037 4:59:59 PM	‎‎‎‎47 be ab c9 22 ea e8 0e 78 78 34 62 a7 9f 45 c2 54 fd e6 8b
GoDaddy	USA		Starfield Root Certificate Authority – G2	2048	SHA-256	‎Thursday, ‎December ‎31, ‎2037 4:59:59 PM	b5 1c 06 7c ee 2b 0c 3d f8 55 ab 2d 92 f4 fe 39 d4 e7 0f 0e
GoDaddy	USA		Starfield Services Root – G2	2048	SHA-256	‎Thursday, ‎December ‎31, ‎2037 4:59:59 PM	92 5a 8f 8d 2c 6d 04 e0 66 5f 59 6a ff 22 d8 63 e8 25 6f 3f
I.CA První certifikační autorita, a.s.	Czech Republic		I.CA - Standard Certification Authority	2048	SHA-256	‎Saturday, ‎August ‎31, ‎2019 5:00:00 PM	‎90 de ce 77 f8 c8 25 34 0e 62 eb d6 35 e1 be 20 cf 73 27 dd
I.CA První certifikační autorita, a.s.	Czech Republic		I.CA - Qualified Certification Authority	2048	SHA-256	‎Saturday, ‎August ‎31, ‎2019 5:00:00 PM	d2 44 1a a8 c2 03 ae ca a9 6e 50 1f 12 4d 52 b6 8f e4 c3 75
KEYNECTSIS	France		Keynectsis Root CA	2048	SHA-256	‎Monday, ‎May ‎25, ‎2020 5:00:00 PM	9c 61 5c 4d 4d 85 10 3a 53 26 c2 4d ba ea e4 a2 d2 d5 cc 97
TrustCenter (a company of Chosen Security)	Germany	EV	TC TrustCenter Universal CA III	2048	SHA-1	‎Monday, ‎December ‎31, ‎2029 4:59:59 PM	96 56 cd 7b 57 96 98 95 d0 e1 41 46 68 06 fb b8 c6 11 06 87
TeliaSonera	Finland		TeliaSonera Root CA v1	4096	SHA-1	‎Monday, ‎October ‎18, ‎2032 5:00:50 AM	43 13 bb 96 f1 d5 86 9b c1 4e 6a 92 f6 cf f6 34 69 87 82 37
Unizeto Certum	Poland	EV	Certum Trusted Network CA	2048	SHA-1	‎Monday, ‎December ‎31, ‎2029 5:07:37 AM	07 e0 32 e0 20 b7 2c 3f 19 2f 06 28 a2 59 3a 19 a7 0f 06 9e
VeriSign	USA		VeriSign Class 1 Public Primary Certification Authority (PCA1 G1 SHA1)	1024	SHA-1	‎Wednesday, ‎August ‎02, ‎2028 4:59:59 PM	ce 6a 64 a3 09 e4 2f bb d9 85 1c 45 3e 64 09 ea e8 7d 60 f1
VeriSign	USA		VeriSign Class 3 Public Primary Certification Authority (PCA3 G1 SHA1)	1024	SHA-1	‎Wednesday, ‎August ‎02, ‎2028 4:59:59 PM	a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b
VeriSign	USA		Thawte Server CA (SHA1)	1024	SHA-1	‎Friday, ‎January ‎01, ‎2021 4:59:59 PM	9f ad 91 a6 ce 6a c6 c5 00 47 c4 4e c9 d4 a5 0d 92 d8 49 79
VeriSign	USA		Thawte Premium Server CA (SHA1)	1024	SHA-1	‎Friday, ‎January ‎01, ‎2021 4:59:59 PM	e0 ab 05 94 20 72 54 93 05 60 62 02 36 70 f7 cd 2e fc 66 66

REMOVED ROOT CERTIFICATES Microsoft has also removed from distribution the following root certificate belonging to member CA Entrust, at the CA’s own request.

Entrust

Canada

80 1d 62 d0 7b 44 9d 5c 5c 03 5c 98 ea 61 fa 44 3c 2a 58 fe

Do you see an error in any of the information above? Contact me here, and I will investigate and correct it. I cannot guarantee total accuracy of this data, but I will commit to correcting errors when they are pointed out to me.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

EXPLANATION OF TERMS

CA Name indicates the CA who currently operates the CA Root Name with the unique Thumbprint and CA Root expiration date indicated. Over time CA root certificates have changed hands, and this resource attempts to identify the current CA owner. Each Current CA owner should contain a hyperlink to the CA’s website, where you can obtain additional information about their root certificates and their certificate policies.

Country is the main country from which the CA operates.

CA Root Name is the common name applied to the root certificate, which may or may not also indicate the name of the CA.

CA Root Size is the modulus of the RSA algorithm – typically 1024-bit, 2048-bit, or 4096-bit RSA. In the future you may see reference to other algorithms such as ECC or ECDSA.

Signature Hash indicates the hash algorithm chosen by the CA for this root certificate – MD2, MD5, SHA1, or SHA2 (SHA256). The hash algorithm used to issue end-use certificates may not be the same as the hash algorithm used for the root certificate: as of January 15, 2009 for example, to Microsoft’s knowledge no CA issues MD5 end-use certificates from any MD5 root certificate distributed by the Windows Root Certificate Program.

CA Root Expires is the expiration date of the root certificate, after which the CA cannot issue any more end-use certificates from it. Root certificates are typically kept in distribution after expiration by the Program until the last of these end-use certificates expires.

Thumbprint is the hash value which uniquely identifies the root certificate in question. It can be confirmed in the actual root certificate by examining the certificate properties (Details), under the Thumbprint field. NEW Each thumbprint contains a hyperlink to the Windows Update website, where you can access the actual root certificate, download and examine its certificate properties.

Return to Root CA Members Page