Microsoft to remove WoSign and StartCom certificates in Windows 10

By Microsoft Defender Security Research Team

August 8, 2017

Vulnerabilities and exploits

Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations.

Thus, Microsoft will begin the natural deprecation of WoSign and StartCom certificates by setting a “NotBefore” date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017.

Microsoft values the global Certificate Authority community and only makes these decisions after careful consideration as to what is best for the security of our users.

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.