Disable Certificate Transparency enforcement for a list of legacy certificate authorities (obsolete)

Options

Description

OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 131. Disables enforcing Certificate Transparency requirements for a list of legacy certificate authorities (Cas). This policy lets you disable Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This disablement of requirements allows otherwise-untrusted certificates (on account of not being publicly disclosed) to continue to be used for enterprise hosts. For Certificate Transparency enforcement to be disabled, you must set the hash to a subjectPublicKeyInfo appearing in an authority-issued certificate that's recognized as a legacy certificate authority (CA). A legacy CA is a CA publicly trusted, by default, by one or more operating systems supported by Microsoft Edge. You specify a subjectPublicKeyInfo hash by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256". If you don't configure this policy, any certificate that's required to be disclosed via Certificate Transparency is treated as untrusted if it isn't disclosed according to the Certificate Transparency policy. This policy is obsolete because the feature to disable Certificate Transparency enforcement for legacy certificates has been removed. Example value: sha256/AAAAAAAAAAAAAAAAAAAAAA== sha256//////////////////////w==