The recent announcement from Microsoft makes it clear that the software giant will remove the U.S. Federal Common Policy CA root certificate in the upcoming Microsoft Root certificate update on May 24, 2022.
Federal Common Policy Root Certificate to be removed Microsoft Trusted Root Program
A root certificate represents the cornerstone of authentication and security as it is used to validate an end-user certificate. These are issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are. In short, it is a core component of a trust chain!
What role does the Microsoft Trusted Root Certificate Program play? It takes root certificates supplied by authorized Certificate Authorities (CAs) and ships them to your device, confirming whether the programs, apps, and websites are trusted by Microsoft or not.
To make this process more secure, the program has made some crucial modifications like removing a few partners who will no longer participate in the program. It’s done in an attempt to help users better guard against evolving threats. Although necessary, the change may impact a small set of customers who have certificates from affected partners.
The root certificate that’s being removed by the Microsoft Root Certificate Update is named “Federal Common Policy CA” and is commonly referred to as the “G1” root certificate even though “G1” does not appear in the certificate name. The root certificate that replaces the “G1” root certificate is named “Federal Common Policy CA G2” and is commonly referred to as the “G2” root certificate, mentions the Microsoft document.
Considering the risks, Microsoft strongly encourages all owners of digital certificates currently trusted by Microsoft to review the list and determine whether their certificates are associated with any of the roots the company is removing, owing to its more stringent technical and auditing requirements. If the clients are using a certificate that was issued by one of the companies listed, it suggests they obtain a replacement certificate from another program provider.
Also, If anyone is experiencing outages following the removal of the “G1” root certificates, they should try to manually download the “G2” root certificate.