-
Notifications
You must be signed in to change notification settings - Fork 209
Certificate chains #361
Comments
Hi, we have recommended to move to SHA2 based signing (see https://github.com/ms-iot/iot-adk-addonkit#17763-v7-branch) as the sha1 certificates are expiring/expired and not planned to be supported further. Can you see the instructions in the link and update your devices? |
I have looked through that a bit, what I don't see is instructions for
updating an existing product line. My devices do not support user
installation of a new os. I guess I was looking for confirmation
(preferably not 😁) that I cannot generate new software to be installed on
my existing fleet.
…On Thu, Sep 8, 2022, 1:06 PM Paramesh Babu ***@***.***> wrote:
Hi, we have recommended to move to SHA2 based signing (see
https://github.com/ms-iot/iot-adk-addonkit#17763-v7-branch) as the sha1
certificates are expiring/expired and not planned to be supported further.
Can you see the instructions in the link and update your devices?
—
Reply to this email directly, view it on GitHub
<#361 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAORXJZWGEMIOQH2JK2FZWDV5JBNVANCNFSM6AAAAAAQHFG6DA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I guess the answers I was hoping for were
|
@matelich For migration of existing devices from cross-signed > custom signed binaries, follow the same steps as for a new FFU (except the FFU generation). Once the v7 versions of the Secure Boot, Device Guard, and your custom cert signed packages are ready, they can be deployed via Device Update Center, or manually using applyupdate.exe. A few things to be careful with:
|
The cert we had been using for creating retail builds expired and we use a homegrown tool which launches ApplyUpdate -stage [cab], ApplyUpdate -commit to perform updates of our software. I'm trying to get a new update out the door and my current cert I'm using is failing with "A certificate chain could not be built to a trusted root authority."
I'm not sure how to determine if I'm fully out of luck because there would be no acceptable root authorities, or if I just need a different cert. Original was Verisign, new is Digicert.
I'd love to be able to keep shipping updates to devices with my FFU built in 2019 (10.0.17763.253).
The text was updated successfully, but these errors were encountered: