Forum Discussion

Eric_E's avatar
Eric_E
Icon for Microsoft rankMicrosoft
Nov 16, 2022

Dev Channel update to 109.0.1495.2 is live

Edit: I added Fixed unable to open local files when an instance of the browser is already running under changed behavior and updated the post to reflect the new build number.   Hello Insiders! To...
Gunnar-Haslinger's avatar
Gunnar-Haslinger
Steel Contributor

where can I find Information about how to add own Enterprise CAs, SubCAs to MicrosoftRootStore of Edge when the MicrosoftRootStoreEnabled Feature is turned on?

I currently have to add several CAs to the Windows 10 Certificate Store, as I understand in future Versions of Edge I would have to add them to the internal Edge MicrosoftRootStore too. How to do this automated during deployment? Where can I find documentation about this? On this page I can only find the timeline of Edge v109 to Edge v111 and the Policy itself but no link to details.

Eric_E's avatar
Eric_E
Icon for Microsoft rankMicrosoft
Dec 01, 2022

Hi Gunnar-Haslinger 

I don't know when they will update the documentation for this policy, but once they do, it will have the necessary information you are looking for.

  • Gunnar-Haslinger's avatar
    Gunnar-Haslinger
    Steel Contributor
    Dec 02, 2022

    Thanks Eric_E for your reply.

    but what's missing is not the Policy-Documentation (this is a simple on/off policy - so the documentation is fine) but the Information about how to add own Enterprise CAs, SubCAs to MicrosoftRootStore of Edge. In this announcement Microsoft  tells us:

     

    Microsoft recommends that enterprises that have break-and-inspect proxies or other scenarios involving TLS server certificates issued by roots not in the Microsoft CTL to proactively test with the policy enabled in Microsoft Edge 109 and report any compatibility issues to Microsoft.

     

    OK. So where to report? We cannot start the test because Information on how to configure this is missing. Please update / add Information to the announcement and provide documentation.

     

  • AndresPae's avatar
    AndresPae
    Brass Contributor
    Jan 27, 2023
    This move to block using OS cert store in Edge starting 111 is really weird. In Enterpises there is very common that we have internal PKI. We can distribute those CA certs via AD GPO, via Intune CSP , - in such case certs are PUT to OS certstore. Even Mozilla Firefox got finally ability to use Windows store(and we are using this option). And now - dear MS - Edge not able to use Windows store? Do we understand it wrongly? https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-cert-verification.
    As i understand 111 should launch in mid feb 2023 - this is almost soon.
    • Gunnar-Haslinger's avatar
      Gunnar-Haslinger
      Steel Contributor
      Jan 27, 2023

      AndresPae yes, I think you understand it wrong.

      And I think the article is written misleading.

       

      There is this small sentence which should get your attention:

       

      In addition to trusting the built-in roots that ship with Microsoft Edge, the browser will also query the underlying platform for—and trust—locally installed roots that users and/or enterprises installed.

       

      so in fact nothing seems to change for Enterprise-CAs deployed to Windows-OS-CertStore.

       

      See this Blog-Post here, which is written much clearer than the official documentation:
      https://textslashplain.com/2022/12/06/tls-certificate-verification-changes-in-edge/

      This blog is written by https://twitter.com/ericlaw who is working at MSFT/Edge

      • AndresPae's avatar
        AndresPae
        Brass Contributor
        Jan 27, 2023
        I read this small sentence several times forth and back and was even more confused. But - thanks - Your link explains it indeed much better than official page.

Resources