You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New intermediate CA certificates under root certificates submitted for distribution by the Program must separate Server Authentication, S/MIME, Code Signing, and Time Stamping uses. This means that a single intermediate-issuing CA must not be used to issue server authentication, S/MIME, code signing and time stamping certificates. A separate intermediate must be used for each use case.
Rollover root certificates, or certificates which are intended to replace previously enrolled but expired certificates, will not be accepted if they combine server authentication with code signing uses unless the uses are separated by application of Extended Key Uses ("EKU"s) at the intermediate CA certificate level that are reflected in the whole certificate chain.
See https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#4-program-technical-requirements , 11 and 12
11.
The 'effective date' for new in Item 11 is 2015-07-23, as per Version 2.0 of the Microsoft Trusted Root Program Requirements that introduced this requirement.
The text was updated successfully, but these errors were encountered: