SK ID Solutions’ root certificate, EE Certification Centre Root CA (EECCRCA), has been removed from the Microsoft Trusted Root Program.

The delisting from Microsoft’s program means that servers and applications relying on the default Microsoft trust list will no longer automatically recognize EECCRCA. Potentially, this could lead to failures in Mobile-ID or Smart-ID authentication within Windows Server environments and cause certificate-chain validation errors in systems that depend on Microsoft’s trust store.

To ensure uninterrupted service in these specific Microsoft environments, you should manually configure your systems to trust the EECCRCA certificate. This can be done by importing the root certificate directly into the system’s trust store, adjusting application-level certificate validation settings, or distributing the certificate via enterprise policy tools.

Please note, that the EECCRCA certificate is still valid, and the withdrawal from Microsoft Trusted Root Program does not affect the security of valid Mobile-ID nor Smart-ID’s, which originate from this CA hierarchy.

If such root certificate trust issue occurs, you should import EECCRCA into your trusted root store or adjust your application’s certificate validation settings to include EECCRCA in its trust bundle.

• On Windows servers, use MMC or run certutil –addstore root <root.cer>.
• On Linux, install the certificate in your distribution’s CA directory (for example, /usr/local/share/ca-certificates/) and execute update-ca-certificates.
• Within .NET or ASP.NET applications, load a trust bundle containing EECCRCA or implement a custom ServerCertificateCustomValidationCallback to accept the full chain, and ensure that IIS and Kestrel are configured to present the complete intermediate chain alongside your server certificate.
• For enterprise-wide policies, consider distributing EECCRCA via Group Policy or other solutions used by you.

You can download EECCRCA here: https://www.skidsolutions.eu/resources/certificates/#Root-CAs.

More information about certification hierarchy is here: https://github.com/SK-EID/PKI/wiki/Certification-Hierarchy.

Previous