-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MobileID authentication fails because Swisscom Root CA Certificate appears to be revoked (Windows Server 2016/2022) #1
Comments
On Tuesday, August 27th, 2019, Microsoft released an update to the Microsoft Trusted Root Certificate Program. In this release, Microsoft marked the Swisscom Root CA 2 (77474FC630E40F4C47643F84BAB8C6954A8A41EC) with a NotBefore-property. According to Microsoft:
Please note that this is a Microsoft Windows related problem. According to Swisscom, the Swisscom Root CA 2 certificate is still trustworthy and the certificate has NOT been revoked from Swisscom. This "Swisscom Root CA 2" Root CA certificate remains valid at least until late 2024, from Swisscom point of view. Note that Swisscom will introduce a new certificate chain in 2022 with the Swisscom Root CA 4 certificate (Root Certificate) and Swisscom Rubin CA 4 (Intermediate Certificate). Nevertheless, the Swisscom Root CA 2 is still being used by the MobileID service at least until late 2024. Therefore, we need a solution or a workaround to solve the problem with the Microsoft Trusted Root Certificate Program, as Microsoft marked the Swisscom Root CA 2 in August 2019 with the NotBefore-property (in an up-to-date Windows Root CA-Truststore). |
Find below some first thoughts and ideas. They have not been tested by Swisscom yet, please use at your own risk. Some of them may not work or may not be compliant with your security requirements. The instructions below are given without any guarantee and with the exclusion of any legal liability.
|
Please note, this issue appears on newer Windows Server versions. On Windows Server 2012 R2 the "NotBefore"-property seems not to be supported and the Swisscom Root CA 2 remains valid. |
…cation_fails_becau Develop/#1 mobile id authentication fails becau
MobileID user authentication with ADFS are no longer working because the validation of the MobileID response fails. According to the ADFS logs, there seems to be an invalid signature in the MobileID user authentication response.
The MobileID signature response comes with a user (end entity) certificate issued/signed by the Swisscom Rubin CA 3 (which is an intermediate CA certficate). Latter is issued/signed by the Swisscom Root CA 2 (the root CA certificate). The full certificate chain is:
[ Swisscom Root CA 2 ] >> [ Swisscom Rubin CA 3 ] >> [ MobileID User (End Entity) Certificate ]
It seems that the validation of the MobileID signature fails because the root certificate (Swisscom Root CA 2) appears to be revoked. With a revoked Root CA certificate, the MobileID signature validation will obviously fail.
Because Windows considers the Swisscom Root CA 2 certificate revoked, all certificates it issued (and so on down the path) are considered invalid.
The text was updated successfully, but these errors were encountered: