August 2025 Microsoft Trusted Root Program deployment notice

On Thursday, August 27, 2025, Microsoft released an update to the Microsoft Trusted Root Certificate Program. The NotBefore date is set to September 15, 2025. This means only certificates issued after this date will be distrusted.

This release will fully NotBefore the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• Certicámara \ AC Raíz Certicámara S.A. \ 5463283B6793FF55277CEDE39098E80422F912F7
• Echoworx \ Echoworx Root CA2 \ CB658264EA8CDA186E1752FB52C397367EA387BE
• e-tugra \ E-Tugra Global Root CA RSA v3 \ E9A85D2214521C5BAA0AB4BE246A238AC9BAE2A9
• e-tugra \ E-Tugra Global Root CA ECC v3 \ 8A2FAF5753B1B0E6A104EC5B6A69716DF61CE284
• Government of Korea, KLID \ GPKIRootCA1 \ 7612ED9E49B365B4DAD3120C01E603748DAE8CF0
• HARICA \ Hellenic Academic and Research Institutions RootCA 2015 \ 010C0695A6981914FFBF5FC6B0B695EA29E912A6
• HARICA \ Hellenic Academic and Research Institutions RootCA 2011 \ FE45659B79035B98A161B5512EACDA580948224D
• HARICA \ Hellenic Academic and Research Institutions ECC RootCA 2015 \ 9FF1718D92D59AF37D7497B4BC6F84680BBAB666
• NISZ Nemzeti Infokommunikációs Szolgáltató Zrt. \ Főtanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató \ FFB7E08F66E1D0C2582F0245C4970292A46E8803

This release will NotBefore Code Signing on the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• GoDaddy \ Go Daddy Root Certificate Authority - G2 \ 47BEABC922EAE80E78783462A79F45C254FDE68B
• GoDaddy \ Starfield Root Certificate Authority - G2 \ B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
• GoDaddy \ godaddy_GD-Class2-root \ 2796BAE63F1801E277261BA0D77770028F20EEE4
• GoDaddy \ godaddy_SF-Class2-root \ AD7E1C28B064EF8F6003402014C3D0E3370EB58A
• SecureTrust \ SecureTrust CA \ 8782C6C304353BCFD29692D2593E7D44D934FF11
• SecureTrust \ Trustwave Global Certification Authority \ 2F8F364FE1589744215987A52A9AD06995267FB5
• SecureTrust \ Trustwave Global ECC P256 Certification Authority \ B49082DD450CBE8B5BB166D3E2A40826CDED42CF
• SecureTrust \ Trustwave Global ECC P384 Certification Authority \ E7F3A3C8CF6FC3042E6D0E6732C59E68950D5ED2

This release will NotBefore SMIME for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• Buypass \ Buypass Class 3 Root CA \ DAFAF7FA6684EC068F1450BDC7C281A5BCA96457
• Buypass \ Buypass Class 2 Root CA \ 490A7574DE870A47FE58EEF6C76BEBC60B124099
• certSIGN \ certSIGN_root \ FAB7EE36972662FB2DB02AF6BF03FDE87C4B2F9B
• certSIGN \ CERTSIGNSA_certSIGNROOTCAG226F9 \ 26F993B4ED3D2827B0B94BA7E9151DA38D92E532
• Deutsche Telekom Security GmbH \ T-TeleSec GlobalRoot Class 3 \ 55A6723ECBF2ECCDC3237470199D2ABE11E381D1
• D-TRUST \ D-TRUST Root Class 3 CA 2 2009 \ 58E8ABB0361533FB80F79B1B6D29D3FF8D5F00F0
• D-TRUST \ Root Class 3 CA 2 EV 2009 \ 96C91B0B95B4109842FAD0D82279FE60FAB91683
• EDICOM \ CAEDICOM Root \ 559BBA7B0FFE80D6D3829B1FD07AA4D322194790
• Government of Finland, Population Register Centre’s (Väestörekisterikeskus, VRK) \ VRK Gov. Root CA - G2 \ F435F85F0108DA684E7BFD517C90C627BB9A6CF5
• Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) \ ACCVRAIZ1 \ 93057A8815C64FCE882FFA9116522878BC536417
• LAWtrust \ LAWtrust Root Certification Authority 2048 \ 335A7FF00927CF2DF278E2C9192F7A4D5534F80C
• Macao Post and Telecommunications Bureau \ eSignTrust Root Certification Authority (G03) \ 9D319381546EA6A12811E09CF90A20C840BE944D
• MULTICERT \ MULTICERT Root Certification Authority 01 \ 46AF7A31B599460D469D6041145B13651DF9170A
• SECOM Trust Systems CO., LTD. \ Security Communication RootCA3 \ C303C8227492E561A29C5F79912B1E441391303A
• SECOM Trust Systems CO., LTD. \ Security Communication ECC RootCA1 \ B80E26A9BFD2B23BC0EF46C9BAC7BBF61D0D4141
• SSL.com \ EV Root Certification Authority ECC \ 4CDD51A3D1F5203214B0C6C532230391C746426D
• SSL.com \ EV Root Certification Authority RSA R2 \ 743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A
• První certifikační autorita, a.s. \ I.CA Root CA/RSA \ 9B0959898154081BF6A90E9B9E58A4690C9BA104

This release will NotBefore TimeStamping for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• D-TRUST \ D-TRUST Root Class 3 CA 2 2009 \ 58E8ABB0361533FB80F79B1B6D29D3FF8D5F00F0
• D-TRUST \ D-TRUST Root Class 3 CA 2 EV 2009 \ 96C91B0B95B4109842FAD0D82279FE60FAB91683
• SECOM Trust Systems CO., LTD. \ Security Communication ECC RootCA1 \ B80E26A9BFD2B23BC0EF46C9BAC7BBF61D0D4141

This release will NotBefore Server Authentication for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• MULTICERT \ MULTICERT Root Certification Authority 01 \ 46AF7A31B599460D469D6041145B13651DF9170A
• SECOM Trust Systems CO., LTD. \ Security Communication RootCA3 \ C303C8227492E561A29C5F79912B1E441391303A
• První certifikační autorita, a.s. \ I.CA Root CA/RSA \ 9B0959898154081BF6A90E9B9E58A4690C9BA104

This release will NotBefore IP Tunnel for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• Buypass \ Buypass Class 2 Root CA \ 490A7574DE870A47FE58EEF6C76BEBC60B124099

This release will NotBefore Client Authentication for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• První certifikační autorita, a.s. \ I.CA Root CA/RSA \ 9B0959898154081BF6A90E9B9E58A4690C9BA104

This release will NotBefore Document Signing for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• SECOM Trust Systems CO., LTD. \ Security Communication ECC RootCA1 \ B80E26A9BFD2B23BC0EF46C9BAC7BBF61D0D4141
• První certifikační autorita, a.s. \ I.CA Root CA/RSA \ 9B0959898154081BF6A90E9B9E58A4690C9BA104

This release will NotBefore IP User for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• Buypass \ Buypass Class 2 Root CA \ 490A7574DE870A47FE58EEF6C76BEBC60B124099

This release will NotBefore Encrypting File System for the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• Buypass \ Buypass Class 2 Root CA \ 490A7574DE870A47FE58EEF6C76BEBC60B124099

This release will Disable the following roots (CA \ Root Certificate \ SHA-1 Thumbprint):

• AC Camerfirma, S.A. \ Global Chambersign Root \ 339B6B1450249B557A01877284D9E02FC3D2D8E9
• Carillon Information Security Inc. \ CISRCA1 \ A69E0336C4E59023FF653C71F928EB73F21C00F0
• Cisco \ Cisco RXC-R2 \ 2C8AFFCE966430BA04C04F81DD4B49C71B5B81A0
• Cisco \ Cisco Root CA 2048 \ DE990CED99E0431F60EDC3937E7CD5BF0ED9E5FA
• Collegio de Registradores Mercantile (Spanish Property & Commerce Registry) \ Registradores de España - CA Raíz \ 211165CA379FBB5ED801E31C430A62AAC109BCB4
• Digidentity B.V. \ Digidentity Services Root CA \ 7B3FB277EE311C1ED560CAB96E4FED775E6A3EED
• Government of Lithuania, Registru Centras \ RCSC RootCA \ FDE7C6FDB32BB8E63939840D6AE052C3D8B73B87
• Government of Portugal, Sistema de Certificação Electrónica do Estado (SCEE) / Electronic Certification System of the State \ ECRaizEstado \ 3913853E45C439A2DA718CDFB6F3E033E04FEE71
• Government of South Africa, Post Office Trust Centre \ SAPO Class 2 Root CA \ E45501608AA1EF89E27B8CD3C3B34C03B038E6D7
• Government of South Africa, Post Office Trust Centre \ SAPO Class 3 Root CA \ 38DD7659C735100B00A237E491B7BC0FFCD2316C
• Government of South Africa, Post Office Trust Centre \ SAPO Class 4 Root CA \ 20A8F5FFC43AF4A9BC89881EBF9920FF91E9FD0A
• Government of Spain, Dirección General de la Policía – Ministerio del Interior – España. \ AC RAIZ DNIE \ B38FECEC0B148AA686C3D00F01ECC8848E8085EB
• Government of Taiwan, Government Root Certification Authority (GRCA) \ grca_grca2 \ B091AA913847F313D727BCEFC8179F086F3A8C0F
• Government of Taiwan, Government Root Certification Authority (GRCA) \ grca_grca \ F48B11BFDEABBE94542071E641DE6BBE882B40B9
• Government of Tunisia, Agence National de Certification Electronique / National Digital Certification Agency (ANCE/NDCA) \ Tunisian Root Certificate Authority - TunRootCA2 \ 9638633C9056AE8814A065D23BDC60A0EE702FA7
• Government of Uruguay, Agency for E-Government and Information Society (AGESIC) \ Autoridad Certificadora Raíz Nacional de Uruguay \ 7A1CDDE3D2197E7137433D3F99C0B369F706C749
• • Government of India, Ministry of Communications & Information Technology, Controller of Certifying Authorities (CCA)\ CCA India 2014 \ A2B86B5A68D92819D9CE5DD6D7969A4968E11991
• Government of India, Ministry of Communications & Information Technology, Controller of Certifying Authorities (CCA) \ CCA India 2015 SPL \ \ 3BC6DCE00307BD676041EBD85970C62F8FDA5109
• Government of Spain, Ministerio de Trabajo e Inmigración (MTIN) \ AC1 RAIZ MTIN \6AD23B9DC48E375F859AD9CAB585325C23894071
• Government of Brazil, Instituto Nacional de Tecnologia da Informação (ITI) \ Autoridade Certificadora Raiz Brasileira v2 \A9822E6C6933C63C148C2DCAA44A5CF1AAD2C42E
• Government of Brazil, Instituto Nacional de Tecnologia da Informação (ITI) \ Autoridade Certificadora Raiz Brasileira v1 \705D2B4565C7047A540694A79AF7ABB842BDC161
• Government of Finland, Population Register Centre’s (Väestörekisterikeskus, VRK) \ VRK Gov. Root CA \FAA7D9FB31B746F200A85E65797613D816E063B5
• Inera AB (SITHS) \ SITHS Root CA v1 \ 585F7875BEE7433EB079EAAB7D05BB0F7AF2BCCC
• Korea Information Security Agency (KISA) \ KISA RootCA 1 \ 027268293E5F5D17AAA4B3C3E6361E1F92575EAA
• LuxTrust \ LuxTrust Global Root 2 \ 1E0E56190AD18B2598B20444FF668A0417995F3F
• Network Solutions \ Network Solutions Certificate Authority \ 71899A67BF33AF31BEFDC071F8F733B183856332
• Network Solutions \ Network Solutions RSA Certificate Authority \ 8E928C0FC27BB7ABA34E6BC0CA1250CB57B60F84
• Network Solutions \ Network Solutions ECC Certificate Authority \ 80F95B741C38399495C34F20C23E7336314D3C6B
• Post of Serbia \ Posta CA Root \ D6BF7994F42BE5FA29DA0BD7587B591F47A44F22
• SECOM Trust Systems CO., LTD. \ secom_secom \36B12B49F9819ED74C9EBC380FC6568F5DACB2F7
• SK ID Solutions AS \ EE Certification Centre Root CA \ C9A8B9E755805E58E35377A725EBAFC37B27CCD7
• SwissSign AG \ SwissSign Platinum CA - G2 \ 56E0FAC03B8F18235518E5D311CAE8C24331AB66
• Telekom Applied Business Malaysia (TMCA) \ TM Applied Business Root Certificate \ 9957C53FC59FB8E739F7A4B7A70E9B8E659F208C
• TrustCor Systems \ TrustCor RootCert CA-1 \ FFBDCDE782C8435E3C6F26865CCAA83A455BC30A
• TrustCor Systems \ TrustCor RootCert CA-2 \ B8BE6DCB56F155B963D412CA4E0634C794B21CC0
• TrustCor Systems \ TrustCor ECA-1 \ 58D1DF9595676B63C0F05B1C174D8B840BC878BD
• TrustFactory(Pty)Ltd \ TrustFactory SSL Root Certificate Authority \ D11478E8E5FB62540593D22C51570D014EAC76D8
• PostSignum \ PostSignum Root QCA 2 \A0F8DB3F0BF417693B282EB74A6AD86DF9D448A3

This release will Remove the following roots (CA \ Root Certificate \ SHA-256 Thumbprint):

• Autoridad de Certificación (ANF AC) \ ANF Global Root CA \5BB59920D11B391479463ADD5100DB1D52F43AD4
• DigiCert \ Symantec Class 1 Public Primary Certification Authority - G4 \84F2E3DD83133EA91D19527F02D729BFC15FE667
• DigiCert \ Symantec Class 2 Public Primary Certification Authority - G4 \6724902E4801B02296401046B4B1672CA975FD2B
• DigiCert \ GeoTrust Universal CA \E621F3354379059A4B68309D8A2F74221587EC79
• Image-X Enterprises Inc \ esignit.org \9F8DE799CF8764ED2466990564041B194919EDE8
• Skaitmeninio sertifikavimo centras (SSC) \ SSC GDL CA VS Root \D2695E12F592E9C8EE2A4CB8D55E295FEE6B2D31
• Trustis \ Trustis_FPSRootCA \3BC0380B33C3F6A60C86152293D9DFF54B81C004

Certificate Transparency Log Monitor (CTLM) policy
The Certificate Transparency Log Monitor (CTLM) policy is now included in the monthly Windows CTL. It's a list of publicly trusted logging servers that is for validating certificate transparency on Windows. The list of logging servers is expected to change over time as they're retired or replaced, and this list reflects the CT logging servers that Microsoft trusts. In the upcoming Windows release, users are able to opt in to certificate transparency validation, which will check for the presence of two Signed Certificate Timestamps (SCTs) from different logging servers in the CTLM. This functionality is currently being tested with event logging only to ensure it's reliable before individual applications can opt in to enforcement.