Microsoft Root Certificate 2011.cer

Introduction

The Microsoft Root Certificate Program supports the distribution of root certificates, enabling customers to trust Windows products. This page describes the Program’s general and technical requirements.

• For information on the most-recent updates shipped, please see https://aka.ms/rootupdates
• Bookmark this page as: https://aka.ms/RootCert

All Windows versions have a built-in feature for automatically updating root certificates from the Microsoft websites. MSFT, as part of the Microsoft Trusted Root Certificate Program, maintains and publishes a list of trusted certificates for clients and Windows devices in its online repository. If the verified certificate in its certification chain refers to the root CA that participates in this program, the system will automatically download this root certificate from the Windows Update servers and add it to the trusted ones.

In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA in disconnected (isolated) networks or computers/servers without direct Internet access.

Note. If your computers access the Internet through a proxy server, Microsoft recommends that you open direct access (bypass) to Microsoft Web sites to automatically renew root certificates. However, it isn’t always possible or applicable due to corporate restrictions.

All Windows versions has a built-in feature for automatically updating root certificates from the Microsoft websites. As part of the Microsoft Trusted Root Certificate Program, MSFT maintains and publishes a list of certificates for Windows clients and devices in its online repository. If the verified certificate in its certification chain refers to the root CA that participates in this program, the system will automatically download this root certificate from the Windows Update servers and add it to the trusted ones.

In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA on isolated networks or computers/servers without a direct Internet connection.

Managing Trusted Root Certificates in Windows 10

How to see the list of root certificates of a Windows computer?

1. To open the root certificate store of a computer running Windows 10/8.1/7/Windows Server, start the mmc.execonsole;
2. Select File -> Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins -> Add;
3. Select what you want to manage certificates of local Computer account;
4. Next -> OK -> OK;
5. Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains the list of trusted root certificates on your computer.

You can also get a list of trusted root certificates with expiration dates using PowerShell:

You can list the expired certificates, or which expire in the next 30 days:

In the mmc console, you can view information about any certificate or remove it from trusted ones.For security reasons, I recommend that you periodically check the certificate store of your computer for suspicious and revoked certificate using the Sigcheck tool.

You can manually transfer the root certificate file between Windows computers using the Export/Import function.

Rootsupd.exe Utility

In Windows XP, the rootsupd.exe utility was used to update computer`s root certificates. The list of root and revoked certificates in it was regularly updated. The utility was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.

1. Download the rootsupd.exe utility using the following link http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe. At the moment (January, 2020) the link doesn’t work, maybe Microsoft decided to remove it from the public. Today you can download the rootsupd.exe from kaspersky.com website — http://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip;
2. To install the Windows root certificates, just run the rootsupd.exe file. But we will try to examine its contents more carefully. Extract the certificates from the executable file with the command: rootsupd.exe /c /t: C:PSrootsupd
3. Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To delete/install a certificate, you can use the following commands:
   updroots.exe authroots.sst
updroots.exe -d delroots.sst

However, as you can see, these certificate files were created on April, 4, 2013 (almost a year before the end of official support of Windows XP). Thus, since then the utility has not been updated and cannot be used to install up-to-date certificates. A little later we will need the updroots.exe file.

Certutil: Getting Latest Root Certificates from Windows Update

The latest version of the Certutil.exe tool for managing certificates (available in Windows 10), allows you to download from Windows Update and save the actual root certificates list to the SST file.

Дополнительно:  File permissions and attributes

certutil.exe -generateSSTFromWU roots.sst

As a result, an SST file containing up-to-date list of root certificates will appear in the target directory. Double-click to open it. This file is a container containing trusted root certificates.

As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.
Tip. To generate individual certificate files, use the command certutil -syncWithWU. The certificates obtained in this way can be deployed on Windows clients using GPO.

To install all the certificates from the SST file and add them to the list of trusted root certificates on a computer, you can use the PowerShell commands:

To install all certificates listed in the file, use the updroots.exe (it is located in the rootsupd.exe file we extracted in the previous section).

Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority.

The List of Root Certificates in STL Format

There is another way to get the list of root certificates from Microsoft website. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any archiver (or even Windows Explorer) unpack authrootstl.cab. It contains one file authroot.stl.

The Authroot.stl file is a container with a list of trusted certificates in Certificate Trust List format.

You can install this file in the system using the context menu of the STL file (Install CTL).

Or using certutil.exe tool:

certutil -addstore -f root authroot.stl

root "Trusted Root Certification Authorities"
CTL 0 added to store.
CertUtil: -addstore command completed successfully.

You can also import certificates using the certificate management console (Trust Root Certification Authorities -> Certificates -> All Tasks> Import). Specify the path to your STL file with certificates.

After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authoritiescontainer of the Certificate Manager console (certmgr.msc).

In the same way, you can download and install the list of the revoked (disallowed) certificates that have been removed from Root Certificate Program. To do it, download disallowedcertstl.cab(http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab), unpack it and add to the Untrusted Certificates section using this command:

certutil -addstore -f  disallowed disallowedcert.stl

Updating Root Certificates in Windows with GPO in an Isolated Environment

certutil.exe –generateSSTFromWU roots.sst

Then the certificates from this file can be distributed via SCCM or PowerShell logon script in GPO:

The second way is to obtain the actual root certificates using the command:

Certutil -syncWithWU -f \my-dc-01SYSVOLcontoso.comrootcert

• Action: Update
• Hive: HKLM
• Key path: SoftwareMicrosoftSystemCertificatesAuthRootAutoUpdate
• Value name: RootDirURL
• Type: REG_SZ
• Value data: file://\my-dc-01SYSVOLcontoso.comrootcert

In this article, we looked at several ways to renew trusted root certificates on a Windows network that is isolated from the Internet.

Managing Trusted Root Certificates in Windows 10 and 11

How to see the list of trusted root certificates on a Windows computer?

1. To open the root certificate store of a computer running Windows 11/10/8.1/7 or Windows Server 2022/2019/2016, run the mmc.exe console;
2. Select File -> Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins -> Add;
3. Select that you want to manage certificates of local Computer account;
4. Next -> OK -> OK;
5. Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains the list of trusted root certificates on your computer.

In the mmc console, you can view information about any certificate or remove it from trusted ones.

You can also get a list of trusted root certificates with their expiration dates using PowerShell:

You can list the expired certificates, or which expire in the next 60 days:

For security reasons, it’s recommended that you periodically check the certificate trust store on your computer for suspicious and revoked certificates using the Sigcheck tool. This tool allows you to compare the list of certificates installed on the computer with the list of root certificates on the Microsoft website (you can download an offline file with up-to-date certificates authrootstl.cab).

You can manually transfer the root certificate file between Windows computers using the Export/Import options.

Getting Latest Root Certificates from Windows Update

The latest version of the Certutil.exe tool for managing certificates (available in Windows 10), allows you to download from Windows Update and save the actual root certificates list to the SST file.

certutil.exe -generateSSTFromWU roots.sst

As a result, an SST file containing up-to-date list of root certificates will appear in the target directory. Double-click to open it. This file is a container containing trusted root certificates.

As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.

To install all the certificates from the SST file and add them to the list of trusted root certificates on a computer, you can use the PowerShell commands:

To install all certificates listed in the file, use the updroots.exe (it is located in the rootsupd.exe file, which was extracted in the previous section).

Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority.

Program Technical Requirements

All CAs in the Program must comply with the Program Technical Requirements. If Microsoft determines that a CA is not in compliance with the below requirements, Microsoft will exclude that CA from the Program.

A. Root Requirements

B. Key Requirements

C. Revocation Requirements

1. The CA must have a documented revocation policy and must have the ability to revoke any certificate it issues.
2. CAs that issue Server Authentication certificates must support the following OCSP responder requirements:
   1. Minimum validity of eight (8) hours; Maximum validity of seven (7) days; and
   2. The next update must be available at least eight (8) hours before the current period expires. If the validity is more than 16 hours, then the next update must be available at ВЅ of the validity period.
3. All certificates issued from a root CA must support either the CRL distribution point extension and/or AIA containing an OCSP responder URL.
4. The CA must not use the root certificate to issue end-entity certificates.
5. If a CA issues Code Signing certificates, it must use a Time Stamp Authority that complies with RFC 3161, «Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP).»

D. Code Signing Root Certificate Requirements

1. New root CAs that support code-signing infrastructure must be signed with using the SHA2 hashing algorithm.
2. Root certificates that support code signing use may be removed from distribution by the Program 10 years from the date of distribution of a replacement rollover root certificate or sooner, if requested by the CA.
3. Root certificates that remain in distribution to support only code signing use beyond their algorithm security lifetime (e.g. RSA 1024 = 2014, RSA 2048 = 2030) may be set to ‘disable’ in the Windows 10 OS.

E. EKU Requirements

CAs must provide a business justification for all of the EKUs assigned to their root certificate. Justification may be in the form of public evidence of a current business of issuing certificates of a type or types, or a business plan demonstrating an intention to issue those certificates in the near term (within one year of root certificate distribution by the Program).

1. Server Authentication =1.3.6.1.5.5.7.3.1
2. Client Authentication =1.3.6.1.5.5.7.3.2
3. Secure E-mail EKU=1.3.6.1.5.5.7.3.4
4. Code Signing EKU=1.3.6.1.5.5.7.3.3
5. Time stamping EKU=1.3.6.1.5.5.7.3.8
6. Document Signing EKU=1.3.6.1.4.1.311.10.3.12

• This EKU is used for signing documents within Office. It is not required for other document signing uses.

F. Windows 10 Kernel Mode Code Signing (KMCS) Requirements

Updating List of Trusted Root Certificates in Windows 10/8. 1/7

All Windows versions have a built-in feature for automatically updating root certificates from the Microsoft websites. As part of the Microsoft Trusted Root Certificate Program, MSFT maintains and publishes a list of certificates for Windows clients and devices in its online repository. If the verified certificate in its certification chain refers to the root CA that participates in this program, the system will automatically download this root certificate from the Windows Update servers and add it to the trusted ones.

In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA on isolated networks or computers/servers without a direct Internet connection.

Microsoft updates Trusted Root Certificate Program

1. 
   

   Microsoft updates Trusted Root Certificate Program

2. Win store do not allow to import root certificate

   Hi, Did Anyone notice, that different windows not allows automatic import root certificate in Trusted Root Certification Authorities?

   When you want to import it manually, you get notice import is succesfull, but actually is not imported.

   NSS Mozilla store is working properly and root certificate is in it.

   In some cases helps if you import root certificate threw mmc.exe (turn on Show physical stores) and imported in Trusted Root Certification Authorities as Local computer.

   Is there some Windows update that not allowed anymore to automatic import root certificate in Trusted Root Certification Authorities?

   ***Post moved by the moderator to the appropriate forum category.***

3. Windows 10 Mail certificate errors

   Thank you for your input, Peter, but Michael wrote he already added the certificate to the store.

   As did I.

   So, an instruction how to add a certificate (without actually telling how to trust a Root Certificate) doesn’t help. At all.

   The issue is that all applications honor the trusted root certificate, but the Windows 10 Mail App apparently thinks it’s smarter than the Trusted Root CA Certificates store and still doesn’t trust our custom certificates.

Microsoft updates Trusted Root Certificate Program

1. Microsoft updates Trusted Root Certificate Program — Similar Threads — Microsoft updates Trusted

2. Issue with Windows 12 Sandbox and Trusted Root Certificate Authority.

   in Windows 10 Gaming

   Issue with Windows 12 Sandbox and Trusted Root Certificate Authority.: Hello fellow Microsoft Community Members,I am having issues with a system that is running behind a firewall, this system has a certificate authority installed as a trusted certificate into the trust store of the Windows 11 system. Everything works however when I go to run…

3. Issue with Windows 12 Sandbox and Trusted Root Certificate Authority.

   in Windows 10 Software and Apps

   Issue with Windows 12 Sandbox and Trusted Root Certificate Authority.: Hello fellow Microsoft Community Members,I am having issues with a system that is running behind a firewall, this system has a certificate authority installed as a trusted certificate into the trust store of the Windows 11 system. Everything works however when I go to run…

4. Removal of the U.S. Federal Common Policy CA certificate from the Microsoft trusted root

   in Windows 10 Gaming

   Removal of the U.S. Federal Common Policy CA certificate from the Microsoft trusted root: Re this notice.Does this mean that everyone’s PC must install the G2 protocol? Or is it for Windows servers only?How does this work for people OUTSIDE the US accessing US services / servers and for Servers situated outside the US but sometimes serving US customers?…

5. Removal of the U.S. Federal Common Policy CA certificate from the Microsoft trusted root

   in Windows 10 Software and Apps

   Removal of the U.S. Federal Common Policy CA certificate from the Microsoft trusted root: Re this notice.Does this mean that everyone’s PC must install the G2 protocol? Or is it for Windows servers only?How does this work for people OUTSIDE the US accessing US services / servers and for Servers situated outside the US but sometimes serving US customers?…

6. A certificate chain processed, but terminated in a root certificate which is not trusted by…

   in Windows 10 Gaming

   A certificate chain processed, but terminated in a root certificate which is not trusted by…: Hi,I have found same Microsoft files but with different hashes have different reputations and there are some problems with signature verfication like below figure event though the signer is Microsoft Corporation. what is the reason for this issue? A certificate chain…

7. A certificate chain processed, but terminated in a root certificate which is not trusted by…

   in Windows 10 Software and Apps

   A certificate chain processed, but terminated in a root certificate which is not trusted by…: Hi,I have found same Microsoft files but with different hashes have different reputations and there are some problems with signature verfication like below figure event though the signer is Microsoft Corporation. what is the reason for this issue? A certificate chain…

8. Need of assistance with Microsoft Trusted Root Program

   in AntiVirus, Firewalls and System Security

   Need of assistance with Microsoft Trusted Root Program: Hi,My boss: *** Email address is removed for privacy *** received an email from *** Email address is removed for privacy ***:This will impact youPersonal I.D. LtdCERTIFICATE NAME:‎PersonalID Trustworthy RootCA 2011SHA1 THUMBPRINT:4394CE3126FF1A224CDD4DEEB4F4EC1DA368EF6A The…

9. Windows 10 — Various Trusted Root Certifications Expired

   in Windows 10 Customization

   Windows 10 — Various Trusted Root Certifications Expired: Recently less than a month ago, I had purchased a new Windows 10 Home edition workstation from IBUYPOWER. After getting this system dialed in I have found multiple Trusted Root Certifications that were expired.

   I then verified our Windows 10 Tablet from 2016 Surface Pro 4…

10. Microsoft Root Certificate 2011.cer

    in Windows 10 Drivers and Hardware

    Microsoft Root Certificate 2011.cer: Does anyone kwno what are the minimum versions of MS Windows 7 and Windows 10 that incluces the «MicrosoftRootCertificateAuthority2011.cer» file?

    Thanks

    https://answers.microsoft.com/en-us/windows/forum/all/microsoft-root-certificate-2011cer/4a6aca92-fa7b-40a2-959d-4c440f3ec91d

The List of Root Certificates in STL Format

There is another way to get the list of root certificates from Microsoft website. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any archiver (or even Windows Explorer) unpack authrootstl.cab. It contains one file authroot.stl.

The Authroot.stl file is a container with a list of trusted certificates in Certificate Trust List format.

You can install this file in the system using the context menu of the STL file (Install CTL).

Or using certutil.exe tool:

certutil -addstore -f root authroot.stl

You can also import certificates using the certificate management console (Trust Root Certification Authorities -> Certificates -> All Tasks -> Import). Specify the path to your STL file with certificates.

After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authorities container of the Certificate Manager console (certmgr.msc).

In the same way, you can download and install the list of the revoked (disallowed) certificates that have been removed from Root Certificate Program. To do it, download disallowedcertstl.cab (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab), unpack it and add to the Untrusted Certificates section using this command:

certutil -addstore -f disallowed disallowedcert.stl

Microsoft Root Certificate 2011. cer

1. Microsoft Root Certificate 2011.cer

   Does anyone kwno what are the minimum versions of MS Windows 7 and Windows 10 that incluces the «MicrosoftRootCertificateAuthority2011.cer» file?

2. Expired Microsoft Timestamp Root CertificateSuggest you try the Technet Forum if you need assistance with a server issue.

   Technet forums — Windows Server

3. Microsoft Root Certificate 2011.cer

   Expired Microsoft Timestamp Root Certificate

   • Out organization has Server 2012R2 Domain Controllers. We have been been getting dinged by Retina scans for some expired Certificates, among them Microsoft Timestamp Root, and Microsoft Authenticode(tm) Root. Some of them expired in 1999. Can these certificates
     be renewed or deleted without breaking something?

Microsoft Root Certificate 2011.cer

1. Microsoft Root Certificate 2011.cer — Similar Threads — Microsoft Root Certificate

2. A certificate chain processed, but terminated in a root certificate which is not trusted by…

   in Windows 10 Gaming

   A certificate chain processed, but terminated in a root certificate which is not trusted by…: Hi,I have found same Microsoft files but with different hashes have different reputations and there are some problems with signature verfication like below figure event though the signer is Microsoft Corporation. what is the reason for this issue? A certificate chain…

3. A certificate chain processed, but terminated in a root certificate which is not trusted by…

   in Windows 10 Software and Apps

   A certificate chain processed, but terminated in a root certificate which is not trusted by…: Hi,I have found same Microsoft files but with different hashes have different reputations and there are some problems with signature verfication like below figure event though the signer is Microsoft Corporation. what is the reason for this issue? A certificate chain…

4. Server Root Certificate?

   in AntiVirus, Firewalls and System Security

   Server Root Certificate?: Hello,I have had serious network issues in my home. Former neighbor installed Pineapple in wall before he left. Anyways, I have a HP Omen running windows 10 Pro. It appears somebody has access to the PC by way of remote connection. PC acts as a server. I noticed a “Root…

5. Group Policy Lockdown: Install Root Certificate

   in AntiVirus, Firewalls and System Security

   Group Policy Lockdown: Install Root Certificate: Hello,I am looking to implement a mitigation recommendation from MITRE outlined on the following page:https://attack.mitre.org/techniques/T1553/004/The recommendation is to prevent users from installing their own root certificate with non-admin privileges through a change in…

6. Can’t disable Automatic Root Certificates Update

   in Windows 10 Network and Sharing

   Can’t disable Automatic Root Certificates Update: I run a clean install of Windows 10 Pro 20H2 19043.844 and if I disable Windows Automatic Root Certificate Update via GPEdit.msc then my internet stops working and all attempts at domain resolution fail. If try to disable Automatic Root Certificate Update by blocking…

7. Windows 10 — Various Trusted Root Certifications Expired

   in Windows 10 Customization

   Windows 10 — Various Trusted Root Certifications Expired: Recently less than a month ago, I had purchased a new Windows 10 Home edition workstation from IBUYPOWER. After getting this system dialed in I have found multiple Trusted Root Certifications that were expired.

   I then verified our Windows 10 Tablet from 2016 Surface Pro 4…

8. Microsoft Certification

   in Windows 10 Customization

   Microsoft Certification: which is the best Microsoft certification to take right now for Windows 10. Most certifications am seeing on the Microsoft website looks to retire soon like ending of the month. Any idea what I can take to broaden my windows 10 knowledge…

9. Root Certificate Browser Error (started to appear randomly)

   in Windows 10 Support

   Root Certificate Browser Error (started to appear randomly): Hey guys, I’m having a bit of trouble with my Lenovo x220 laptop.

   At first I had installed the RTM 10240 version and then updated it to Build 10586. Once I updated I noticed the computer started to behave erratic random freezes at boot up, forcing me to hold the power key…

10. Microsoft updates Trusted Root Certificate Program

    in Windows 10 News

    Microsoft updates Trusted Root Certificate Program: At Microsoft, we are continuously working to deliver on our commitment to the security of our customers and their ecosystems. A core component of our strategy to inform Windows users about the safety of the websites, apps and software they’re accessing online is built into…

Users found this page by searching for:

1. microsoft root certificate 2011.cer

   ,

2. microsoftrootcertificateauthority2011.cer

How to Disable/Enable Automatic Root Certificates Update in Windows?

As we mentioned, Windows automatically updates root certificates. You can enable or disable certificate renewal in Windows through a GPO or the registry.

The Turn off Automatic Root Certificates Update option in this section allows you to disable automatic updating of root certificates through the Windows Update sites. By default, this policy is not configured and Windows always tries to automatically renew root certificates.

If this GPO option is not configured and the root certificates are not automatically renewed, check if this setting is manually enabled in the registry. Check the value of the registry parameter using PowerShell:

Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\SystemCertificates\AuthRoot' -Name DisableRootAutoUpdate

If the command returns that the value of the DisableRootAutoUpdate registry parameter is 1, then the updating of root certificates is disabled on your computer. To enable it, change the parameter value to 0.

Updating Root Certificates in Windows with GPO in an Isolated Environment

certutil.exe –generateSSTFromWU roots.sst

Then the certificates from this file can be distributed via SCCM or PowerShell logon script in GPO:

The second way is to obtain the actual root certificates using the command:

Certutil -syncWithWU -f \\fr-dc01\SYSVOL\woshub.com\rootcert\

• Action: Update
• Hive: HKLM
• Key path: Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
• Value name: RootDirURL
• Type: REG_SZ
• Value data: file://\\fr-dc01\SYSVOL\woshub.com\rootcert\

It remains to link this policy on a computer`s OU and after updating the policies to check for new root certificates in the certstore.

In this article, we looked at several ways to renew trusted root certificates on a Windows network that is isolated from the Internet.

Rootsupd. exe Utility

In Windows XP, the rootsupd.exe utility was used to update computer`s root certificates. The list of root and revoked certificates in it was regularly updated. The utility was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.

1. Download the rootsupd.exe utility using the following link http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe . At the moment (August 2, 2019) the link doesn’t work, maybe Microsoft decided to remove it from the public. Today you can download the rootsupd.exe from kaspersky.com website — http://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip ;
2. To install the Windows root certificates, just run the rootsupd.exe file. But we will try to examine its contents more carefully. Extract the certificates from the executable file with the command: rootsupd.exe /c /t: C:\PS\rootsupd
3. Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To delete/install a certificate, you can use the following commands:
   updroots.exe authroots.sst
   updroots.exe -d delroots.sst

However, as you can see, these certificate files were created on April 4, 2013 (almost a year before the end of official support of Windows XP). Thus, since then the utility has not been updated and cannot be used to install up-to-date certificates. A little later we will need the updroots.exe file.

Managing Trusted Root Certificates in Windows 10

How to see the list of root certificates of a Windows computer?

1. To open the root certificate store of a computer running Windows 10/8.1/7/Windows Server, start the mmc.exe console;
2. Select File ->Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins ->Add;
3. Select that you want to manage certificates of local Computer account;
4. Next -> OK -> OK;
5. Expand the Certificates node ->TrustedRootCertificationAuthoritiesStore. This section contains the list of trusted root certificates on your computer.

You can also get a list of trusted root certificates with expiration dates using PowerShell:

You can list the expired certificates, or which expire in the next 30 days:

In the mmc console, you can view information about any certificate or remove it from trusted ones.

You can manually transfer the root certificate file between Windows computers using the Export/Import function.

1. You can export any certificate to a .CER file by clicking on it and selecting All Tasks -> Export;
2. You can import this certificate on another computer using the option All Tasks -> Import.

Download Trusted Root Certificates from Windows Update

Certutil.exe CLI tool can be used to manage certificates (introduced in Windows 10, for Windows 7 is available as a separate update). It can be used to download an up-to-date list of root certificates from Windows Update and save it to an SST file.

To generate an SST file on a computer running Windows 10 or 11 and having direct access to the Internet, open the elevated command prompt and run the command:

certutil.exe -generateSSTFromWU C:\PS\roots.sst

Updated SST file.
CertUtil: -generateSSTFromWU command completed successfully.

As a result, an SST file containing an up-to-date list of root certificates will appear in the target directory. Double-click to open it. This file is a container containing trusted root certificates.

As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.

Tip. The certutil -syncWithWU command can be used to generate individual certificate files. The certificates obtained in this way can be deployed to Windows devices using GPO.

You can use PowerShell script to install all certificates from the SST file and add them to the list of trusted root certificates on a computer:

Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority. In my example on Windows 11, the number of root certificates increased from 34 to 438.

A clean copy of Windows after installation contains only a small number of certificates in the root store. If the computer is connected to the Internet, the rest of the root certificates will be installed automatically (on demand) if your device access an HTTPS site or SSL certificate that has a fingerprint from Microsoft CTL in its trust chain. Therefore, as a rule, there is no need to immediately add all certificates that Microsoft trusts to the local certification store.  

How to Update Trusted Root Certificates in Windows 7?

After installing a clean Windows 7 image, you may find that many modern programs and tools do not work on it as they are signed with new certificates. In particular, there have been complaints that .Net Framework 4.8 or Microsoft Visual Studio (vs_Community.exe) cannot be installed on Windows 7 SP1 x64 without updating root certificates.

The installer manifest failed signature validation.

NET Framework has not been installed because a certificate chain could not be built to a trusted root authority.

After that, you can use the certutil to generate an SST file with root certificates (on current or another computer):

certutil.exe -generateSSTFromWU c:\ps\roots.sst

Now you can import certificates into trusted ones:

Continuing Program Requirements

Audit Requirements

1. Program Participants must provide to Microsoft evidence of a Qualified Audit (see https://aka.ms/auditreqs) for each root, unconstrained subordinate CA, , and cross-signed certificate, before conducting commercial operations and thereafter on an annual basis.
2. Program Participants must assume responsibility to ensure that all unconstrained subordinate CAs and cross-signed certificates meet the Program Audit Requirements.
3. CAs must publicly disclose all audit reports for unconstrained subordinate CAs.

Communication and Disclosure Requirements

Program Participants must provide Microsoft the identities of at least two «Trusted Agents» to serve as representatives to the Program and one general email alias. Program Participants must inform Microsoft upon the removal or addition of personnel as a Trusted Agent. Program Participants agree to receive notices by e-mail and must provide Microsoft with an email address to receive official notices. Program Participants must agree that notice is effective when Microsoft sends an email or official letter. At least one of the contacts or aliases provided should be a 24/7 monitored communications channel for revocation requests or other incident management situations.

The Program Participant must disclose its full PKI hierarchy (non-limited subordinate CA, cross-signed non-enrolled root CAs, subordinate CAs, EKUs, certificate constraints) to Microsoft on an annual basis, including certificates issued to CAs operated by external third parties within the CCADB. Program Participants must keep this information accurate in the CCADB when changes occur. If a subordinate CA is not publicly disclosed or audited, it must be domain-constrained.

Program Participants must inform Microsoft via email at least 120 days before transferring ownership of enrolled root or subordinate CA that chains to an enrolled root to another entity or person.

Reason Code must be included in revocations for intermediate certificates. CAs must update the CCADB when revoking any intermediate certificates within 30 days.

Program Participants agree that Microsoft may contact customers that Microsoft believes may be substantially impacted by the pending removal of a root CA from the Program.

Other Requirements

Commercial CAs may not enroll a root CA into the Program that is intended to be primarily trusted internally within an organization (i.e. Enterprise CAs).

If a CA uses a subcontractor to operate any aspect of its business, the CA will assume responsibility for the subcontractor’s business operations.

If Microsoft, in its sole discretion, identifies a certificate whose usage or attributes are determined to be contrary to the objectives of the Trusted Root Program, Microsoft will notify the responsible CA and request that it revoke the certificate. The CA must either revoke the certificate or request an exception from Microsoft within 24 hours of receiving Microsoft’s notice. Microsoft will review submitted material and inform the CA of its final decision to grant or deny the exception at its sole discretion. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within 24 hours of the exception being denied.

Certificate Trust List (STL) in Windows

A Certificate Trust List (CTL) is simply a list of data (such as certificate hashes) that is signed by a trusted party (by Microsoft in this case). The Windows client periodically downloads from Windows Update this CTL, which stores the hashes of all trusted root CAs.  It should be understood that this CTL doesn’t contain the certificates themselves, only their hashes and attributes (for example, Friendly Name). Windows devices can download a trusted certificate from Certificate Trust List on demand.

You can manually download and install the CTL file. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any archiver (or even Windows Explorer), unpack the contents of the authrootstl.cab archive. It contains a single authroot.stl file.

The Authroot.stl file is a container with a list of trusted certificate thumbprints in Certificate Trust List format.

You can install this CTL file to a Trusted Root Certificate Authority using the certutil command:

certutil -enterprise -f -v -AddStore "Root" "C:\PS\authroot.stl"

root "Trusted Root Certification Authorities"
CTL 0 added to store.
CertUtil: -addstore command completed successfully.

You can also import certificates using the certificate management console (Trust Root Certification Authorities -> Certificates -> All Tasks -> Import). Specify the path to your STL file with certificate thumbprints.

After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authorities container of the Certificate Manager console (certmgr.msc).

In the same way, you can download and install the list of the revoked (disallowed) certificates that have been removed from the Root Certificate Program. To do it, download the disallowedcertstl.cab file (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab), extract it, and add it to the Untrusted Certificates store with the command:

certutil -enterprise -f -v -AddStore disallowed "C:\PS\disallowedcert.stl"

Updating Trusted Root Certificates via GPO in an Isolated Environment

certutil.exe –generateSSTFromWU roots.sst

Then the root certificates from this file can be deployed via SCCM or PowerShell Startup script in GPO:

The second way is to download the actual Microsoft root certificates using the command:

Certutil -syncWithWU -f \\fr-dc01\SYSVOL\woshub.com\rootcert\

• Action: Update
• Hive: HKLM
• Key path: Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
• Value name: RootDirURL
• Type: REG_SZ
• Value data: file://\\fr-dc01\SYSVOL\woshub.com\rootcert\

It remains to link this policy on a computer`s OU and after updating GPO settings on the client, check for new root certificates in the certstore.

Updating Root Certificates on Windows XP Using the Rootsupd. exe Tool

In Windows XP, the rootsupd.exe utility was used to update the computer`s root certificates. The list of root and revoked certificates in it was regularly updated. The tool was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.

1. Download the rootsupd.exe utility using the following link http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe. At the moment (January 2021) the link doesn’t work, Microsoft decided to remove it from the public. Today you can download the rootsupd.exe from the Kaspersky website — http://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip;
2. To install the Windows root certificates, just run the rootsupd.exe file. But we will try to examine its contents more carefully. Extract the certificates from the executable file with the command: rootsupd.exe /c /t: C:\PS\rootsupd
3. Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To remove or install certificates, you can use the following commands:
   updroots.exe authroots.sst
updroots.exe -d delroots.sst

However, as you can see, these certificate files were created on April 4, 2013 (almost a year before the end of official support for Windows XP). Thus, since then the tool has not been updated and cannot be used to install up-to-date certificates.

But you can use cerutil tool in Windows 10/11 to download root.sst, copy that file in Windows XP and install the certificate using updroots.exe:

There is information that the updroots.exe tool is not recommended for use in modern builds of Windows 10 1803+ and Windows 11, as it can break the Microsoft root CA on a device.

In this article, we looked at several ways to update trusted root certificates on Windows network computers that are isolated from the Internet (disconnected environment).

Trusted Root Certification Authorities Certificate Store

The signing certificate that was used to create the signature was issued by a certification authority (CA).

The corresponding root certificate for the CA is installed in the Trusted Root Certification Authorities certificate store. Therefore, the Trusted Root Certification Authorities certificate store contains the root certificates of all CAs that Windows trusts.

NoteВ В A private CA is unlikely to be trusted outside the network environment.

The name of the Trusted Root Certification Authorities certificate store is root. You can manually install the root certificate of a private CA into the Trusted Root Certification Authorities certificate store on a computer by using the CertMgr tool.