MobileID authentication fails because Swisscom Root CA Certificate appears to be revoked (Windows Server 2016/2022) about mobileid-enabler-adfs HOT 3 CLOSED

On Tuesday, August 27th, 2019, Microsoft released an update to the Microsoft Trusted Root Certificate Program. In this release, Microsoft marked the Swisscom Root CA 2 (77474FC630E40F4C47643F84BAB8C6954A8A41EC) with a NotBefore-property.

According to Microsoft:

Windows 10 allows us to stop trusting roots or EKU's using the "NotBefore" or "Disable" properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.

Please note that this is a Microsoft Windows related problem. According to Swisscom, the Swisscom Root CA 2 certificate is still trustworthy and the certificate has NOT been revoked from Swisscom. This "Swisscom Root CA 2" Root CA certificate remains valid at least until late 2024, from Swisscom point of view.

Note that Swisscom will introduce a new certificate chain in 2022 with the Swisscom Root CA 4 certificate (Root Certificate) and Swisscom Rubin CA 4 (Intermediate Certificate). Nevertheless, the Swisscom Root CA 2 is still being used by the MobileID service at least until late 2024.

Therefore, we need a solution or a workaround to solve the problem with the Microsoft Trusted Root Certificate Program, as Microsoft marked the Swisscom Root CA 2 in August 2019 with the NotBefore-property (in an up-to-date Windows Root CA-Truststore).

from mobileid-enabler-adfs.

Find below some first thoughts and ideas. They have not been tested by Swisscom yet, please use at your own risk. Some of them may not work or may not be compliant with your security requirements. The instructions below are given without any guarantee and with the exclusion of any legal liability.

1. Turn off Automatic Root Certificates Update
   On a Windows System that is not up-to-date (older than August 2019) the Swisscom Root CA 2 is still considered valid. To prevent an automatic root certificate update, the following policy may be enabled with the Local Group Policy Editor. This will keep the Swisscom Root CA 2 considered trustworthy.
   Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Automatic Root Certificates Update

2. Use the Root-CA-Truststore of the user (instead of the Computer's Root-CA-Truststore)
   Windows will lookup certificates in the user's trust store first, before it will lookup certificates in the Computer's trust store. It MAY work if the Swisscom Root CA 2 is imported in the Root-CA-Truststore of the technical user of the ADFS service.

3. Disable the validation of the MobileID user certificate in the ADFS configuration
   Set the configuration parameter DisableSignatureCertValidation to actually disable the validation of the certificate chain. This should work, but obviously security will suffer.

4. Include the Swisscom Root CA 2 in the MID/ADFS application
   In the MID/ADFS method Service::WebClientImpl::_isValidSignture(string, byte[]) you can find the call signedCms.CheckSignature(...) (line 1152), which is responsible for the signature validation. According to the dotnet documentation of CheckSignature, you can specify your own/additional certificates (such as the Swisscom Root CA 2) used for the validation of the certificate chain. The Swisscom Root CA 2 needs to be included in the MID/ADFS Installer. It may (or may not) be required to delete the Swisscom Root CA 2 from the Computer's Root-CA-Truststore. This would definitely be the best solution.

from mobileid-enabler-adfs.

Please note, this issue appears on newer Windows Server versions. On Windows Server 2012 R2 the "NotBefore"-property seems not to be supported and the Swisscom Root CA 2 remains valid.

from mobileid-enabler-adfs.