diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ae48d8..d2e57a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [2.1.2] - 2024-10-24
+
+### Fixed
+- allow `cdp.geotrust.com`, `cacerts.geotrust.com`, `cacerts.digicert.com` and `status.geotrust.com` for windows activation based on [learn.microsoft.com](https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list#public-key-encryption-and-signature-algorithms)
+
 ## [2.1.1] - 2024-05-30
 
 ### Fixed
diff --git a/README.md b/README.md
index 329e13f..9d21bae 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ module "firewall_rules" {
 | <a name="input_ipg_platform_id"></a> [ipg\_platform\_id](#input\_ipg\_platform\_id) | IP ranges for the whole platform service, defined by the azure landing zone core modules. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the firewall policy and the azure firewall are located. | `string` | n/a | yes |
 | <a name="input_stage"></a> [stage](#input\_stage) | The stage that the resource is located in, e.g. prod, dev. | `string` | n/a | yes |
-| <a name="input_bastion_config"></a> [bastion\_config](#input\_bastion\_config) | <pre>ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable.<br>  ipg_rdp_access_ids: If RDP access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via RDP.<br>  ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH.</pre> | <pre>object({<br>    ipg_bastion_id     = string<br>    ipg_rdp_access_ids = optional(list(string), [])<br>    ipg_ssh_access_ids = optional(list(string), [])<br>  })</pre> | `null` | no |
+| <a name="input_bastion_config"></a> [bastion\_config](#input\_bastion\_config) | <pre>ipg_bastion_id: If the customer uses bastion, provide the bastion ip-group in this variable.<br/>  ipg_rdp_access_ids: If RDP access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via RDP.<br/>  ipg_ssh_access_ids: If SSH access is needed, provide vm ip-groups in this variable. Every ip-group provided in this list, will be accessible by bastion via SSH.</pre> | <pre>object({<br/>    ipg_bastion_id     = string<br/>    ipg_rdp_access_ids = optional(list(string), [])<br/>    ipg_ssh_access_ids = optional(list(string), [])<br/>  })</pre> | `null` | no |
 | <a name="input_firewall_policy_id"></a> [firewall\_policy\_id](#input\_firewall\_policy\_id) | For testing use this | `string` | `null` | no |
 | <a name="input_ipg_azure_dc_id"></a> [ipg\_azure\_dc\_id](#input\_ipg\_azure\_dc\_id) | The ip addresses of the domain controller located in azure. If the value is not provided, this network rule collection will not be created. | `string` | `null` | no |
 | <a name="input_ipg_dnsprivateresolver_id"></a> [ipg\_dnsprivateresolver\_id](#input\_ipg\_dnsprivateresolver\_id) | The ip address of the private dns resolver inbound endpoint. If the value is not provided, this network rule collection will not be created | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index caf7db6..d88fcba 100644
--- a/main.tf
+++ b/main.tf
@@ -153,7 +153,11 @@ resource "azurerm_firewall_policy_rule_collection_group" "this" {
         "*.root-c3-ca2-2009.ocsp.d-trust.net",
         "*.crl.microsoft.com",
         "*.oneocsp.microsoft.com",
-        "*.ocsp.msocsp.com"
+        "*.ocsp.msocsp.com",
+        "cdp.geotrust.com",
+        "cacerts.geotrust.com",
+        "cacerts.digicert.com",
+        "status.geotrust.com"
       ]
       protocols {
         type = "Http"