Microsoft today announced that they will remove WoSign and StartCom certificates in Windows 10. WoSign and StartCom are Chinese Certificate Authorities (CAs) issuing digital certificates. According to Microsoft, these CAs have failed to maintain the standards set by Microsoft. They have been following unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations.
As a result, Microsoft will deprecate WoSign and StartCom certificates by setting a “NotBefore” date of 26 September 2017. But the existing certificates will continue to function until they self-expire. After September 2017, Windows 10 will not trust any new certificates from these CAs.
Microsoft also mentioned that they take these decisions after careful consideration as to what is best for the security of millions of Windows users.