Windows Azure Root CAs and SSL Client Certificates

I ran into some problems while trying to make SSL client certificates work for StarterSTS 1.5. In theory you have to do two things (via startup tasks):

  • Unlock the SSL section in IIS
  • Install all the root certificates for the client certs you want to accept

I did that. But it still does not work. While inspecting the event log, I stumbled over an schannel error message that I’ve never seen before:

“When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.”

WTF? And indeed standard Azure (web role) VMs trust 275 root CAs (see attached list). Including kinda obscure ones. I don’t really know why MS made this design decision. It seems just wrong (including breaking the SSL client cert functionality).

Deleting like 60% of them made SSL client certs from my CA work. So I guess I now have to find an automated way to attach CTLs to my site…joy.

Exported list of trusted CA (as of 30th Dec 2010)
AC Raíz Certicámara S.A. (4/2/2030 9:42:02 PM)
AC RAIZ FNMT-RCM (1/1/2030 12:00:00 AM)
A-CERT ADVANCED (10/23/2011 2:14:14 PM)
Actalis Authentication CA G1 (6/25/2022 2:06:00 PM)
Agence Nationale de Certification Electronique (8/12/2037 9:03:17 AM)
Agence Nationale de Certification Electronique (8/12/2037 9:58:14 AM)
Agencia Catalana de Certificacio (NIF Q-0801176-I) (1/7/2031 10:59:59 PM)
America Online Root Certification Authority 1 (11/19/2037 8:43:00 PM)
America Online Root Certification Authority 2 (9/29/2037 2:08:00 PM)
ANCERT Certificados CGN (2/11/2024 5:27:12 PM)
ANCERT Certificados Notariales (2/11/2024 3:58:26 PM)
ANCERT Corporaciones de Derecho Publico (2/11/2024 5:22:45 PM)
A-Trust-nQual-01 (11/30/2014 11:00:00 PM)
A-Trust-nQual-03 (8/17/2015 10:00:00 PM)
A-Trust-Qual-01 (11/30/2014 11:00:00 PM)
A-Trust-Qual-02 (12/2/2014 11:00:00 PM)
A-Trust-Qual-03a (4/24/2018 10:00:00 PM)
Austria Telekom-Control Kommission (9/24/2005 12:40:00 PM)
Austrian Society for Data Protection (2/12/2009 11:30:30 AM)
Austrian Society for Data Protection GLOBALTRUST Certification Service (9/18/2036 2:12:35 PM)
Autoridad Certificadora Raiz de la Secretaria de Economia (5/9/2025 12:00:00 AM)
Autoridad de Certificacion de la Abogacia (6/13/2030 10:00:00 PM)
Autoridad de Certificacion Firmaprofesional CIF A62634068 (10/24/2013 10:00:00 PM)
Autoridade Certificadora Raiz Brasileira (11/30/2011 11:59:00 PM)
Baltimore CyberTrust Root (5/12/2025 11:59:00 PM)
BIT AdminCA-CD-T01 (1/25/2016 12:36:19 PM)
BIT Admin-Root-CA (11/10/2021 7:51:07 AM)
Buypass Class 2 CA 1 (10/13/2016 10:25:09 AM)
Buypass Class 3 CA 1 (5/9/2015 2:13:03 PM)
CA Disig (3/22/2016 1:39:34 AM)
CertEurope (3/27/2037 11:00:00 PM)
CERTICAMARA S.A. (2/23/2015 5:10:37 PM)
Certicámara S.A. (5/23/2011 10:00:00 PM)
Certigna (6/29/2027 3:13:05 PM)
Certipost E-Trust Primary Normalised CA (7/26/2020 10:00:00 AM)
Certipost E-Trust Primary Qualified CA (7/26/2020 10:00:00 AM)
Certipost E-Trust Primary TOP Root CA (7/26/2025 10:00:00 AM)
Certisign Autoridade Certificadora AC1S (6/27/2018 12:00:00 AM)
Certisign Autoridade Certificadora AC2 (6/27/2018 12:00:00 AM)
Certisign Autoridade Certificadora AC3S (7/9/2018 8:56:32 PM)
Certisign Autoridade Certificadora AC4 (6/27/2018 12:00:00 AM)
CertPlus Class 1 Primary CA (7/6/2020 11:59:59 PM)
CertPlus Class 2 Primary CA (7/6/2019 11:59:59 PM)
CertPlus Class 3 Primary CA (7/6/2019 11:59:59 PM)
CertPlus Class 3P Primary CA (7/6/2019 11:59:59 PM)
CertPlus Class 3TS Primary CA (7/6/2019 11:59:59 PM)
CertRSA01 (3/3/2010 2:59:59 PM)
certSIGN Root CA (7/4/2031 5:20:04 PM)
Certum (6/11/2027 10:46:39 AM)
Certum Trusted Network CA (12/31/2029 12:07:37 PM)
Chambers of Commerce Root – 2008 (7/31/2038 12:29:50 PM)
Chambersign Chambers of Commerce Root (9/30/2037 4:13:44 PM)
Chambersign Global Root (9/30/2037 4:14:18 PM)
Chambersign Public Notary Root (9/30/2037 4:14:49 PM)
Chunghwa Telecom Co. Ltd. (12/20/2034 2:31:27 AM)
Cisco Systems (5/14/2029 8:25:42 PM)
CNNIC Root (4/16/2027 7:09:14 AM)
Common Policy (10/15/2027 4:08:00 PM)
COMODO (12/31/2028 11:59:59 PM)
COMODO (1/18/2038 11:59:59 PM)
COMODO (12/31/2029 11:59:59 PM)
ComSign Advanced Security CA (3/24/2029 9:55:55 PM)
ComSign CA (3/19/2029 3:02:18 PM)
ComSign Secured CA (3/16/2029 3:04:56 PM)
Correo Uruguayo – Root CA (12/31/2030 2:59:59 AM)
Cybertrust Global Root (12/15/2021 8:00:00 AM)
DanID (2/11/2037 9:09:30 AM)
DanID (4/5/2021 5:03:17 PM)
Deutsche Telekom Root CA 2 (7/9/2019 11:59:00 PM)
DigiCert (11/10/2031 12:00:00 AM)
DigiCert (11/10/2031 12:00:00 AM)
DigiCert (11/10/2031 12:00:00 AM)
DigiNotar Root CA (3/31/2025 6:19:21 PM)
DIRECCION GENERAL DE LA POLICIA (2/8/2036 10:59:59 PM)
DST (ABA.ECOM) CA (7/9/2009 5:33:53 PM)
DST (ANX Network) CA (12/9/2018 4:16:48 PM)
DST (Baltimore EZ) CA (7/3/2009 7:56:53 PM)
DST (National Retail Federation) RootCA (12/8/2008 4:14:16 PM)
DST (United Parcel Service) RootCA (12/7/2008 12:25:46 AM)
DST ACES CA X6 (11/20/2017 9:19:58 PM)
DST Root CA X3 (9/30/2021 2:01:15 PM)
DST RootCA X1 (11/28/2008 6:18:55 PM)
DST RootCA X2 (11/27/2008 10:46:16 PM)
DSTCA E1 (12/10/2018 6:40:23 PM)
DSTCA E2 (12/9/2018 7:47:26 PM)
DST-Entrust GTI CA (12/9/2018 12:32:24 AM)
D-TRUST GmbH (5/16/2022 5:20:47 AM)
D-TRUST GmbH (6/8/2012 11:47:46 AM)
D-TRUST GmbH (5/16/2022 5:20:47 AM)
EBG Elektronik Sertifika Hizmet Saglayicisi (8/14/2016 12:31:09 AM)
E-Certchile (9/5/2028 7:39:41 PM)
Echoworx Root CA2 (10/7/2030 10:49:13 AM)
ECRaizEstado (6/23/2030 1:41:27 PM)
EDICOM (4/13/2028 4:24:22 PM)
E-GÜVEN Elektronik Sertifika Hizmet Saglayicisi (1/4/2017 11:32:48 AM)
E-ME SSI (RCA) (5/19/2027 8:48:15 AM)
Entrust (11/27/2026 8:53:42 PM)
Entrust (5/25/2019 4:39:40 PM)
Entrust.net (12/7/2030 5:55:54 PM)
Equifax Secure eBusiness CA-1 (6/21/2020 4:00:00 AM)
Equifax Secure eBusiness CA-2 (6/23/2019 12:14:45 PM)
Equifax Secure Global eBusiness CA-1 (6/21/2020 4:00:00 AM)
eSign Australia: eSign Imperito Primary Root CA (5/23/2012 11:59:59 PM)
eSign Australia: Gatekeeper Root CA (5/23/2014 11:59:59 PM)
eSign Australia: Primary Utility Root CA (5/23/2012 11:59:59 PM)
Fabrica Nacional de Moneda y Timbre (3/18/2019 3:26:19 PM)
GeoTrust (8/22/2018 4:41:51 PM)
GeoTrust (7/16/2036 11:59:59 PM)
GeoTrust Global CA (5/21/2022 4:00:00 AM)
GeoTrust Global CA 2 (3/4/2019 5:00:00 AM)
GeoTrust Primary Certification Authority – G2 (1/18/2038 11:59:59 PM)
GeoTrust Primary Certification Authority – G3 (12/1/2037 11:59:59 PM)
GeoTrust Universal CA (3/4/2029 5:00:00 AM)
GeoTrust Universal CA 2 (3/4/2029 5:00:00 AM)
Global Chambersign Root – 2008 (7/31/2038 12:31:40 PM)
GlobalSign (1/28/2028 12:00:00 PM)
GlobalSign (12/15/2021 8:00:00 AM)
Go Daddy Class 2 Certification Authority (6/29/2034 5:06:20 PM)
GTE CyberTrust Global Root (8/13/2018 11:59:00 PM)
GTE CyberTrust Root (4/3/2004 11:59:00 PM)
GTE CyberTrust Root (2/23/2006 11:59:00 PM)
Halcom CA FO (6/5/2020 10:33:31 AM)
Halcom CA PO 2 (2/7/2019 6:33:31 PM)
Hongkong Post Root CA (1/16/2010 11:59:00 PM)
Hongkong Post Root CA 1 (5/15/2023 4:52:29 AM)
I.CA První certifikacní autorita a.s. (4/1/2018 12:00:00 AM)
I.CA První certifikacní autorita a.s. (4/1/2018 12:00:00 AM)
InfoNotary (3/6/2026 5:33:05 PM)
IPS SERVIDORES (12/29/2009 11:21:07 PM)
IZENPE S.A. (1/30/2018 11:00:00 PM)
Izenpe.com (12/13/2037 8:27:25 AM)
Japan Certification Services, Inc. SecureSign RootCA1 (9/15/2020 2:59:59 PM)
Japan Certification Services, Inc. SecureSign RootCA11 (4/8/2029 4:56:47 AM)
Japan Certification Services, Inc. SecureSign RootCA2 (9/15/2020 2:59:59 PM)
Japan Certification Services, Inc. SecureSign RootCA3 (9/15/2020 2:59:59 PM)
Japan Local Government PKI Application CA (3/31/2016 2:59:59 PM)
Japanese Government ApplicationCA (12/12/2017 3:00:00 PM)
Juur-SK AS Sertifitseerimiskeskus (8/26/2016 2:23:01 PM)
KamuSM (8/21/2017 11:37:07 AM)
KISA RootCA 1 (8/24/2025 8:05:46 AM)
KISA RootCA 3 (11/19/2014 6:39:51 AM)
Macao Post eSignTrust (1/29/2013 11:59:59 PM)
MicroSec e-Szigno Root CA (4/6/2017 12:28:44 PM)
Microsoft Authenticode(tm) Root (12/31/1999 11:59:59 PM)
Microsoft Root Authority (12/31/2020 7:00:00 AM)
Microsoft Root Certificate Authority (5/9/2021 11:28:13 PM)
Microsoft Timestamp Root (12/30/1999 11:59:59 PM)
MOGAHA Govt of Korea (4/21/2012 9:07:23 AM)
MOGAHA Govt of Korea GPKI (3/15/2017 6:00:04 AM)
NetLock Arany (Class Gold) Fotanúsítvány (12/6/2028 3:08:21 PM)
NetLock Expressz (Class C) Tanusitvanykiado (2/20/2019 2:08:11 PM)
NetLock Kozjegyzoi (Class A) Tanusitvanykiado (2/19/2019 11:14:47 PM)
NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado (12/15/2022 1:47:11 AM)
NetLock Platina (Class Platinum) Fotanúsítvány (12/6/2028 3:12:44 PM)
NetLock Uzleti (Class B) Tanusitvanykiado (2/20/2019 2:10:22 PM)
Netrust CA1 (3/30/2021 2:57:45 AM)
Network Solutions (12/31/2029 11:59:59 PM)
NLB Nova Ljubljanska Banka d.d. Ljubljana (5/15/2023 12:22:45 PM)
OISTE WISeKey Global Root GA CA (12/11/2037 4:09:51 PM)
Post.Trust Root CA (7/5/2022 9:12:33 AM)
Post.Trust Root CA (8/20/2010 1:56:21 PM)
Posta CA Root (10/20/2028 12:52:08 PM)
POSTarCA (2/7/2023 11:06:58 AM)
QuoVadis Root CA 2 (11/24/2031 6:23:33 PM)
QuoVadis Root CA 3 (11/24/2031 7:06:44 PM)
QuoVadis Root Certification Authority (3/17/2021 6:33:33 PM)
Root CA Generalitat Valenciana (7/1/2021 3:22:47 PM)
RSA Security 2048 V3 (2/22/2026 8:39:23 PM)
SECOM Trust Systems CO LTD (6/6/2037 2:12:32 AM)
SECOM Trust Systems CO LTD (6/25/2019 10:23:48 PM)
SECOM Trust Systems CO LTD (9/30/2023 4:20:49 AM)
Secretaria de Economia Mexico (5/8/2025 12:00:00 AM)
Secrétariat Général de la Défense Nationale (10/17/2020 2:29:22 PM)
SecureNet CA Class B (10/16/2009 9:59:00 AM)
Serasa Certificate Authority I (11/21/2024 2:12:45 PM)
Serasa Certificate Authority II (11/21/2024 12:44:48 PM)
Serasa Certificate Authority III (11/21/2024 1:24:14 PM)
SERVICIOS DE CERTIFICACION – A.N.C. (3/9/2009 9:08:07 PM)
Sigen-CA (6/29/2021 9:57:46 PM)
Sigov-CA (1/10/2021 2:22:52 PM)
Skaitmeninio sertifikavimo centras (12/28/2026 12:05:04 PM)
Skaitmeninio sertifikavimo centras (12/25/2026 12:08:26 PM)
Skaitmeninio sertifikavimo centras (12/22/2026 12:11:30 PM)
Sonera Class1 CA (4/6/2021 10:49:13 AM)
Sonera Class2 CA (4/6/2021 7:29:40 AM)
Spanish Property & Commerce Registry CA (4/27/2012 9:39:50 AM)
Staat der Nederlanden Root CA (12/16/2015 9:15:38 AM)
Staat der Nederlanden Root CA – G2 (3/25/2020 11:03:10 AM)
Starfield Class 2 Certification Authority (6/29/2034 5:39:16 PM)
Starfield Technologies (6/26/2019 12:19:54 AM)
Starfield Technologies Inc. (12/31/2029 11:59:59 PM)
StartCom Certification Authority (9/17/2036 7:46:36 PM)
S-TRUST Authentication and Encryption Root CA 2005:PN (6/21/2030 11:59:59 PM)
Swisscom Root CA 1 (8/18/2025 10:06:20 PM)
SwissSign (10/25/2036 8:30:35 AM)
SwissSign Platinum G2 Root CA (10/25/2036 8:36:00 AM)
SwissSign Silver G2 Root CA (10/25/2036 8:32:46 AM)
TC TrustCenter Class 1 CA (1/1/2011 11:59:59 AM)
TC TrustCenter Class 2 CA (1/1/2011 11:59:59 AM)
TC TrustCenter Class 2 CA II (12/31/2025 10:59:59 PM)
TC TrustCenter Class 3 CA (1/1/2011 11:59:59 AM)
TC TrustCenter Class 3 CA II (12/31/2025 10:59:59 PM)
TC TrustCenter Class 4 CA (1/1/2011 11:59:59 AM)
TC TrustCenter Class 4 CA II (12/31/2025 10:59:59 PM)
TC TrustCenter Time Stamping CA (1/1/2011 11:59:59 AM)
TC TrustCenter Universal CA I (12/31/2025 10:59:59 PM)
TC TrustCenter Universal CA II (12/31/2030 10:59:59 PM)
thawte (12/31/2020 11:59:59 PM)
thawte (7/16/2036 11:59:59 PM)
thawte (12/31/2020 11:59:59 PM)
thawte (12/31/2020 11:59:59 PM)
thawte (12/31/2020 11:59:59 PM)
thawte (12/31/2020 11:59:59 PM)
thawte (12/31/2020 11:59:59 PM)
thawte Primary Root CA – G2 (1/18/2038 11:59:59 PM)
thawte Primary Root CA – G3 (12/1/2037 11:59:59 PM)
Thawte Timestamping CA (12/31/2020 11:59:59 PM)
Trustis EVS Root CA (1/9/2027 11:56:00 AM)
Trustis FPS Root CA (1/21/2024 11:36:54 AM)
Trustwave (1/1/2035 5:37:19 AM)
Trustwave (12/31/2029 7:40:55 PM)
Trustwave (12/31/2029 7:52:06 PM)
TURKTRUST Elektronik Islem Hizmetleri (9/16/2015 12:13:05 PM)
TURKTRUST Elektronik Islem Hizmetleri (3/22/2015 10:04:51 AM)
TURKTRUST Elektronik Sertifika Hizmet Saglayicisi (9/16/2015 10:07:57 AM)
TURKTRUST Elektronik Sertifika Hizmet Saglayicisi (3/22/2015 10:27:17 AM)
TÜRKTRUST Elektronik Sertifika Hizmet Saglayicisi (12/22/2017 6:37:19 PM)
TW Government Root Certification Authority (12/5/2032 1:23:33 PM)
TWCA Root Certification Authority 1 (12/31/2030 3:59:59 PM)
TWCA Root Certification Authority 2 (12/31/2030 3:59:59 PM)
U.S. Government FBCA (10/6/2010 6:53:56 PM)
UCA Global Root (12/31/2037 12:00:00 AM)
UCA Root (12/31/2029 12:00:00 AM)
USERTrust (7/9/2019 6:40:36 PM)
USERTrust (7/9/2019 5:36:58 PM)
USERTrust (6/24/2019 7:06:30 PM)
USERTrust (7/9/2019 6:19:22 PM)
USERTrust (5/30/2020 10:48:38 AM)
UTN – USERFirst-Network Applications (7/9/2019 6:57:49 PM)
ValiCert Class 3 Policy Validation Authority (6/26/2019 12:22:33 AM)
VAS Latvijas Pasts SSI(RCA) (9/13/2024 9:27:57 AM)
VeriSign (5/18/2018 11:59:59 PM)
VeriSign (7/16/2036 11:59:59 PM)
VeriSign (8/1/2028 11:59:59 PM)
VeriSign (12/31/1999 9:37:48 AM)
VeriSign (1/7/2004 11:59:59 PM)
VeriSign (5/18/2018 11:59:59 PM)
VeriSign (1/7/2004 11:59:59 PM)
VeriSign (8/1/2028 11:59:59 PM)
VeriSign (8/1/2028 11:59:59 PM)
VeriSign (1/7/2020 11:59:59 PM)
VeriSign (12/31/1999 9:35:58 AM)
VeriSign (8/1/2028 11:59:59 PM)
VeriSign (7/16/2036 11:59:59 PM)
VeriSign (1/7/2004 11:59:59 PM)
VeriSign (7/16/2036 11:59:59 PM)
VeriSign (1/7/2010 11:59:59 PM)
VeriSign (5/18/2018 11:59:59 PM)
VeriSign (8/1/2028 11:59:59 PM)
VeriSign (1/7/2004 11:59:59 PM)
VeriSign (7/16/2036 11:59:59 PM)
VeriSign (7/16/2036 11:59:59 PM)
VeriSign (8/1/2028 11:59:59 PM)
VeriSign (5/18/2018 11:59:59 PM)
VeriSign Class 3 Public Primary CA (8/1/2028 11:59:59 PM)
VeriSign Class 3 Public Primary Certification Authority – G4 (1/18/2038 11:59:59 PM)
VeriSign Time Stamping CA (1/7/2004 11:59:59 PM)
VeriSign Universal Root Certification Authority (12/1/2037 11:59:59 PM)
Visa eCommerce Root (6/24/2022 12:16:12 AM)
Visa Information Delivery Root CA (6/29/2025 5:42:42 PM)
VRK Gov. Root CA (12/18/2023 1:51:08 PM)
Wells Fargo Root Certificate Authority (1/14/2021 4:41:28 PM)
WellsSecure Public Certificate Authority (12/14/2022 12:07:54 AM)
Xcert EZ by DST (7/11/2009 4:14:18 PM)

This entry was posted in Azure. Bookmark the permalink.

5 Responses to Windows Azure Root CAs and SSL Client Certificates

  1. alexeyb says:

    Hi, thanks for your article. Have you found a solution to fix the problem in a right way?

    • No not really. There a registry switch that turns off transmission of the CA list to the client. This means the browser will show all available client certs, not just the ones the server would accept. This registry setting is now part of the standard image in Azure..

  2. Adrian Hope-Bailie says:

    I know this is an old post but it seems like the Azure VMs have now gone in the other direction and are only supporting a very small list of root CAs. A large number of the common ones are now missing forcing you to install them yourself. Any idea when this happened or why?

  3. Adrian Hope-Bailie says:

    By the way, the previous issue was caused by a Windows Server update that was mistakenly applied to servers and should have only been applied to workstations.
    http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s