Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Disable Certificate Transparency enforcement for a list of legacy certificate authorities (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge version 131.
Supported versions
- On Windows and macOS since 77, until 131
Description
Disables enforcing Certificate Transparency requirements for a list of legacy certificate authorities (Cas).
This policy lets you disable Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This allows certificates that would otherwise be untrusted because they were not properly publicly disclosed, continue to be used for enterprise hosts.
In order for Certificate Transparency enforcement to be disabled, you must set the hash to a subjectPublicKeyInfo appearing in a CA certificate that is recognized as a legacy certificate authority (CA). A legacy CA is a CA that has been publicly trusted by default by one or more operating systems supported by Microsoft Edge.
You specify a subjectPublicKeyInfo hash by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".
If you don't configure this policy, any certificate that's required to be disclosed via Certificate Transparency will be treated as untrusted if it isn't disclosed according to the Certificate Transparency policy.
This policy is obsolete because the feature to disable Certificate Transparency enforcement for legacy certificates has been removed.
Supported features
- Can be mandatory: Yes
- Can be recommended: No
- Dynamic Policy Refresh: Yes
- Per Profile: Yes
- Applies to a profile that is signed in with a Microsoft account: Yes
Data type
- List of strings
Windows information and settings
Group Policy (ADMX) info
- GP unique name: CertificateTransparencyEnforcementDisabledForLegacyCas
- GP name: Disable Certificate Transparency enforcement for a list of legacy certificate authorities (obsolete)
- GP path (Mandatory): Administrative Templates/Microsoft Edge
- GP path (Recommended): N/A
- GP ADMX file name: MSEdge.admx
Example value
sha256/AAAAAAAAAAAAAAAAAAAAAA==
sha256//////////////////////w==
Registry settings
- Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge\CertificateTransparencyEnforcementDisabledForLegacyCas
- Path (Recommended): N/A
- Value name: 1, 2, 3, ...
- Value type: List of REG_SZ
Example registry value
SOFTWARE\Policies\Microsoft\Edge\CertificateTransparencyEnforcementDisabledForLegacyCas\1 =
sha256/AAAAAAAAAAAAAAAAAAAAAA==
SOFTWARE\Policies\Microsoft\Edge\CertificateTransparencyEnforcementDisabledForLegacyCas\2 =
sha256//////////////////////w==
Mac information and settings
- Preference Key name: CertificateTransparencyEnforcementDisabledForLegacyCas
- Example value:
<array>
<string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string>
<string>sha256//////////////////////w==</string>
</array>