I was recently investigating a website on SSLLabs (and thank you for this service, it's fantastic) and discovered a potential issue with the trust anchors reported for Apple.

For the Microsoft RSA Certificate Authority 2017 and Microsoft ECC Certificate Authority 2017 roots, SSLLabs is not showing certificates issued under these roots as not trusted for Apple. Here is a sample query: https://www.ssllabs.com/ssltest/analyze.html?d=actrsaroot2017.pki.microsoft.com

However, this root has been trusted by Apple since Oct 2021 (iOS 15.1, MacOS Montery (12.1)). Here are the links showing the inclusion:

List of available trusted root certificates in iOS 15.1, iPadOS 15.1, macOS 12.1, tvOS 15.1, and watchOS 8.1 - Apple Support

This root is also listed in the CCADB which also lists it as trusted by Apple's OSes.

Can you please help us understand where SSLLabs is getting its trust anchor information? We are very concerned that customers may look at the results for websites on SSLLabds and falsely conclude that there is missing trust for certificates issued under this root CA.

Thank you for your support.

Hi @kbracken-msft

Thanks a lot for the appreciation and thank you for reaching out.

Currently, www.ssllabs.com is on 2.1.10 with an older version of trust store and dev.ssllabs.com is on 2.1.11.
dev.ssllabs.com results in a valid trust path for the domain shared by you - https://www.ssllabs.com/ssltest/analyze.html?d=actrsaroot2017.pki.microsoft.com

Let me know if you know have any other query

Regards,
Nauman Shah

Thanks for the quick reply! When will the trust store be updated to the latest version?