MobileID authentication fails because Swisscom Root CA Certificate appears to be revoked (Windows Server 2016/2022)

[phaupt]

MobileID user authentication with ADFS are no longer working because the validation of the MobileID response fails. According to the ADFS logs, there seems to be an invalid signature in the MobileID user authentication response.

The MobileID signature response comes with a user (end entity) certificate issued/signed by the Swisscom Rubin CA 3 (which is an intermediate CA certficate). Latter is issued/signed by the Swisscom Root CA 2 (the root CA certificate). The full certificate chain is:

[ Swisscom Root CA 2 ] >> [ Swisscom Rubin CA 3 ] >> [ MobileID User (End Entity) Certificate ]

It seems that the validation of the MobileID signature fails because the root certificate (Swisscom Root CA 2) appears to be revoked. With a revoked Root CA certificate, the MobileID signature validation will obviously fail.

Because Windows considers the Swisscom Root CA 2 certificate revoked, all certificates it issued (and so on down the path) are considered invalid.

[phaupt]

On Tuesday, August 27th, 2019, Microsoft released an update to the Microsoft Trusted Root Certificate Program. In this release, Microsoft marked the Swisscom Root CA 2 (77474FC630E40F4C47643F84BAB8C6954A8A41EC) with a NotBefore-property.

According to Microsoft:

Windows 10 allows us to stop trusting roots or EKU's using the "NotBefore" or "Disable" properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.

Please note that this is a Microsoft Windows related problem. According to Swisscom, the Swisscom Root CA 2 certificate is still trustworthy and the certificate has NOT been revoked from Swisscom. This "Swisscom Root CA 2" Root CA certificate remains valid at least until late 2024, from Swisscom point of view.

Note that Swisscom will introduce a new certificate chain in 2022 with the Swisscom Root CA 4 certificate (Root Certificate) and Swisscom Rubin CA 4 (Intermediate Certificate). Nevertheless, the Swisscom Root CA 2 is still being used by the MobileID service at least until late 2024.

Therefore, we need a solution or a workaround to solve the problem with the Microsoft Trusted Root Certificate Program, as Microsoft marked the Swisscom Root CA 2 in August 2019 with the NotBefore-property (in an up-to-date Windows Root CA-Truststore).

[phaupt]

Find below some first thoughts and ideas. They have not been tested by Swisscom yet, please use at your own risk. Some of them may not work or may not be compliant with your security requirements. The instructions below are given without any guarantee and with the exclusion of any legal liability.

1. Turn off Automatic Root Certificates Update
   On a Windows System that is not up-to-date (older than August 2019) the Swisscom Root CA 2 is still considered valid. To prevent an automatic root certificate update, the following policy may be enabled with the Local Group Policy Editor. This will keep the Swisscom Root CA 2 considered trustworthy.
   Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Automatic Root Certificates Update

2. Use the Root-CA-Truststore of the user (instead of the Computer's Root-CA-Truststore)
   Windows will lookup certificates in the user's trust store first, before it will lookup certificates in the Computer's trust store. It MAY work if the Swisscom Root CA 2 is imported in the Root-CA-Truststore of the technical user of the ADFS service.

3. Disable the validation of the MobileID user certificate in the ADFS configuration
   Set the configuration parameter DisableSignatureCertValidation to actually disable the validation of the certificate chain. This should work, but obviously security will suffer.

4. Include the Swisscom Root CA 2 in the MID/ADFS application
   In the MID/ADFS method Service::WebClientImpl::_isValidSignture(string, byte[]) you can find the call signedCms.CheckSignature(...) (line 1152), which is responsible for the signature validation. According to the dotnet documentation of CheckSignature, you can specify your own/additional certificates (such as the Swisscom Root CA 2) used for the validation of the certificate chain. The Swisscom Root CA 2 needs to be included in the MID/ADFS Installer. It may (or may not) be required to delete the Swisscom Root CA 2 from the Computer's Root-CA-Truststore. This would definitely be the best solution.

[phaupt]

Please note, this issue appears on newer Windows Server versions. On Windows Server 2012 R2 the "NotBefore"-property seems not to be supported and the Swisscom Root CA 2 remains valid.