1. Мастер импорта сертификатов
Если сертификат имеет расширение .crt, то его достаточно запустить двойным кликом:
В открывшемся окне нажмите кнопку «Установить сертификат»:
Выберите один из вариантов:
- «Текущий пользователь» — сертификат будет иметь эффект только для одного пользователя
- «Локальный компьютер» — сертификат будет иметь эффект для всех пользователей данного компьютера
Выберите «Пометить все сертификаты в следующие хранилища»:
Нажмите кнопку «Обзор» и выберите «Доверенные корневые центры сертификации»:
Сообщение об успешном импорте:
Теперь сертификат будет доступен в Менеджере Сертификатов:
2. Добавление root CA сертификата в Менеджере Сертификатов
Чтобы открыть Менеджер Сертификатов нажмите Win+r, введите в открывшееся поле и нажмите Enter:
certmgr.msc
Укажите папку и имя файла:
Теперь действительно всё готово:
Только что импортированный сертификат в Менеджере Сертификатов:
All Windows versions have a built-in feature for automatically updating root certificates from the Microsoft websites. MSFT, as part of the Microsoft Trusted Root Certificate Program, maintains and publishes a list of trusted certificates for clients and Windows devices in its online repository. If the verified certificate in its certification chain refers to the root CA that participates in this program, the system will automatically download this root certificate from the Windows Update servers and add it to the trusted ones.
In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA in disconnected (isolated) networks or computers/servers without direct Internet access.
Note. If your computers access the Internet through a proxy server, Microsoft recommends that you open direct access (bypass) to Microsoft Web sites to automatically renew root certificates. However, it isn’t always possible or applicable due to corporate restrictions.
Root certificates are public-key certificates that help your system determine if a website or program is genuine and is based on whether the licensing authority is trusted and whether the digital certificate remains valid.
There are many certificate authorities, among which the most famous are Symantec® and Comodo®. And their root certificates are always freely available for download.
Windows has built-in certificates and automatically renews them. However, you can still optionally manually add additional root certificates to Windows from trusted certificate authorities (CAs).
This is just done in a few steps. The method is suitable for all versions of Windows.
On the downloaded root certificate file, right-click and select the ‘Install Certificate’. In the window that opens, the installation wizard press ‘Next’.
Next, you need to choose the right place to import – Trusted Root Certification Authorities.
Then just continue the proposed steps of the wizard.
As a result, you need to confirm the installation of our certificate.
Now all is done. Websites and programs authenticated by this root certificate will now work fine.
To add certificates to the Trusted Root Certification Authorities store for a local computer, from the WinX Menu in Windows 11/10/8.1, open Run box, type , and hit Enter to open the Microsoft Management Control.
Press the File menu link and select Add/Remove Snap-in. Now under Available snap-ins, click Certificates, and then click Add.
Now let us see how to configure and manage trusted root certificates for a local computer. Open MMC and press the File menu link and select Add/Remove Snap-in. Now under Available snap-ins, click Group Policy Object Editor, and then click Add. Select the computer whose local GPO you want to edit, and click Finish / OK.
Now, back in the MMC console tree, navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings. Next Public Key Policies. Double-click Certificate Path Validation Settings, and then select the Stores tab.
Read: Manage certificates using Certificate Manager or Certmgr.msc.
Finally, under Stores tab > Root certificate stores, select one option under Root CAs that the client computers can trust and click OK. If in doubt, go with the recommended option.
To see how you can manage trusted root certificates for a domain and how to add certificates to the Trusted Root Certification Authorities store for a domain, visit Technet.
RCC is a free Root Certificates Scanner that can help you scan Windows Root Certificates for untrusted ones.
When you visit a website, how do you know that it is the website you think you are visiting? The internet’s answer to this problem is SSL certificates (also known as HTTPS certificates).
When you visit an SSL secured website (https://), in addition to the connection being secured using SSL/TSL encryption, the website will present your browser with an SSL certificate showing that it (or more accurately ownership of the website’s public key) has been authenticated by a recognized Certificate Authority (CA). There are some 1200 such CAs in existence.
This system, which is the cornerstone of security on the internet, and is used just about every secure website that handles sensitive information (including banks, webmail services, payment processors and so on,) therefore relies on trusting the CAs.
Certificate Authorities issue certificates based on a chain of trust, issuing multiple certificates in the form of a tree structure to less authoritative CAs. A root Certificate Authority is therefore the trust anchor upon which trust in all less authoritative CAs are based. A root certificate is used to authenticate a root Certificate Authority.
So who issues the root certificates?
Generally speaking, root certificates are distributed by OS developers such as Microsoft and Apple. Most third party apps and browsers (such as Chrome) use the system’s root certificates, but some developers use their own, most notably Mozilla (Firefox), Adobe, Opera, and Oracle, which are used by their products.
Если вы задаётесь вопросом, в какой папке хранятся сертификаты в Windows, то правильный ответ в том, что в Windows сертификаты хранятся в реестре. Причём они записаны в виде бессмысленных бинарных данных. Чуть ниже будут перечислены ветки реестра, где размещены сертификаты, а пока давайте познакомимся с программой для просмотра и управления сертификатами в Windows.
В Windows просмотр и управление доверенными корневыми сертификатами осуществляется в программе Менеджер Сертификатов.
Чтобы открыть Менеджер Сертификатов нажмите Win+r, введите в открывшееся поле и нажмите Enter:
certmgr.msc
Здесь для каждого сертификата вы можете просматривать свойства, экспортировать и удалять.
Просмотр сертификатов в PowerShell
Чтобы просмотреть список сертификатов с помощью PowerShell:
Get-ChildItem cert:\LocalMachine\root | format-list
Чтобы найти определённый сертификат выполните команду вида (замените «HackWare» на часть искомого имени в поле Subject):
Get-ChildItem cert:\LocalMachine\root | Where {$_.Subject -Match "HackWare"} | format-list
Теперь рассмотрим, где физически храняться корневые CA сертификаты в Windows. Сертификаты хранятся в реестре Windows в следующих ветках:
Сертификаты уровня пользователей:
- HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates — содержит настройки сертификатов для текущего пользователя
- HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates — как и предыдущее расположение, но это соответствует сертификатам пользователей, развёрнутым объектом групповой политики (GPO (Group Policy))
- HKEY_USERS\SID-User\Software\Microsoft\SystemCertificates — соответствует настройке определённых пользовательских сертификатов. У каждого пользователя есть своя ветка в реестре с SID (идентификатор безопасности).
Сертификаты уровня компьютера:
- HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates — содержит настройки для всех пользователей компьютера
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates — как и предыдущее расположение, но это соответствует сертификатам компьютера, развёрнутым объектом групповой политики (GPO (Group Policy))
Сертификаты уровня служб:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates — содержит настройки сертификатов для всех служб компьютера
Сертификаты уровня Active Directory:
- HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates — сертификаты, выданные на уровне Active Directory.
И есть несколько папок и файлов, соответствующих хранилищу сертификатов Windows. Папки скрыты, а открытый и закрытый ключи расположены в разных папках.
Пользовательские сертификаты (файлы):
- %APPDATA%\Microsoft\SystemCertificates\My\Certificates
- %USERPROFILE%\AppData\Roaming\Microsoft\Crypto\RSA\SID
- %USERPROFILE%\AppData\Roaming\Microsoft\Credentials
- %USERPROFILE%\AppData\Roaming\Microsoft\Protect\SID
Компьютерные сертификаты (файлы):
- C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Рассмотрим теперь где хранятся корневые CA сертификаты веб-браузеров.
Certificates are like a confirmation that the message sent to you is original and not tampered with. Of course, there are methods to fake the confirmations like Lenovo’s SuperFish certificate – and we’ll talk about it in a while. This article explains what are Root Certificates in Windows and if you should update them – because Windows always shows them as non-critical updates.
- How does Public Key Cryptography work
- Fake Root Certificates
- Conclusion
- Certificate Trust List (STL) in Windows
- How to Disable/Enable Automatic Root Certificates Update in Windows?
- How to remove a root certificate
- Google Chrome
- Updating Trusted Root Certificates via GPO in an Isolated Environment
- Firefox
- Download Trusted Root Certificates from Windows Update
- Problems with the CA system
- How to Update Trusted Root Certificates in Windows 7?
- Opera
- Updating Root Certificates on Windows XP Using the Rootsupd. exe Tool
- Как добавить корневой сертификат в доверенные в Windows в веб браузеры
- So why all the fuss about Microsoft ‘sneakily’ adding root certificates?
- Managing Trusted Root Certificates in Windows 10 and 11
How does Public Key Cryptography work
Before talking about Root Certificates, it is necessary to take a look at how cryptography works in the case of web conversations, between websites and browsers or between two individuals in the form of messages.
There are many types of cryptography out of which, two are essential and are used extensively for different purposes.
- Symmetric cryptography is used where you have a key, and only that key can be used to encrypt and decrypt messages (mostly used in email communications)
- Asymmetric cryptography, where there are two keys. One of those keys is used to encrypt a message while the other key is used to decrypt the message
Public key cryptography has a public and a private key. Messages can be decoded and encrypted using either of the two. The use of both keys is essential to complete communication. The Public key is visible to everyone and is used to make sure that the origin of the message is exactly the same as it appears to be. The Public key encrypts the data and is sent to the recipient having the public key. The recipient decrypts the data using the Private key. A trust relationship is established, and communication continues.
Both the public and private keys contain information about the Certificate Issuing Authority such as , DigiCert, Comodo, and so on. If your operating system considers the certificate-issuing authority as trustworthy, the messages are sent back and forth between the browser and the websites. If there is a problem identifying the certificate-issuing authority or if the public key is expired or corrupt, you will see a message saying There is a problem with the website’s certificate.
Root Certificates are the primary level of certifications that tell a browser that the communication is genuine. This information that the communication is genuine is based upon the identification of certification authority. Your Windows operating system adds several root certificates as trusted so that your browser can use it to communicate with websites.
This also helps in the encryption of communications between the browsers and websites and automatically makes other certificates under it, valid. Thus the certificate has many branches. For example, if a certificate from Comodo is installed, it will have a top-level certificate that will help web browsers communicate with websites in an encrypted fashion. As a branch in the certificate, Comodo also includes email certificates, which will automatically be trusted by browsers and email clients because the operating system has marked the root certificate as trusted.
On the other hand, if everything is fine, messages are sent and received by the browser as communication happens. With every incoming message, the browser also checks the message with its own private key to see it is not a fraudulent message. It responds only if it can decrypt the message using its own private key. Thus, both keys are required to carry on communications. Furthermore, all the communications are carried forward in encrypted mode.
Fake Root Certificates
You can check for unsigned or untrusted Windows Root Certificates using Root Certificates Scanner or SigCheck.
Conclusion
Root Certificates are important so that your browsers can communicate with the websites. If you delete all the trusted certificates, out of curiosity or to stay safe, you will always get a message that you are on an untrusted connection. You can download trusted root certificates via the Microsoft Windows Root Certificates Program, if you think you do not have all the proper root certificates.
You should always check the non-critical updates once in a while to see if there are updates available for root certificates. If yes, download them using Windows Update only and not from third-party sites.
There are fake certificates too but the chances of you getting the fake certificates are limited – only when your computer manufacturer adds one to the list of trusted root certificates as Lenovo did or when you download root certificates from third-party websites. It is better to stick to Microsoft and let it handle the root certificates rather than going on your own to install them from anywhere on the Internet. You can also see if a root certificate is trusted by opening it and running a search on the name of the certificate issuing authority. If the authority seems reputed, you can install it or keep it. If you cannot make out the certificate issuing authority, it is better to remove it.
In a week or two, we will see how to manage Trusted Root certificates.
Certificate Trust List (STL) in Windows
A Certificate Trust List (CTL) is simply a list of data (such as certificate hashes) that is signed by a trusted party (by Microsoft in this case). The Windows client periodically downloads from Windows Update this CTL, which stores the hashes of all trusted root CAs. It should be understood that this CTL doesn’t contain the certificates themselves, only their hashes and attributes (for example, Friendly Name). Windows devices can download a trusted certificate from Certificate Trust List on demand.
You can manually download and install the CTL file. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any archiver (or even Windows Explorer), unpack the contents of the authrootstl.cab archive. It contains a single authroot.stl file.
The Authroot.stl file is a container with a list of trusted certificate thumbprints in Certificate Trust List format.
You can install this CTL file to a Trusted Root Certificate Authority using the certutil command:
certutil -enterprise -f -v -AddStore "Root" "C:\PS\authroot.stl"
root "Trusted Root Certification Authorities" CTL 0 added to store. CertUtil: -addstore command completed successfully.
You can also import certificates using the certificate management console (Trust Root Certification Authorities -> Certificates -> All Tasks -> Import). Specify the path to your STL file with certificate thumbprints.
After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authorities container of the Certificate Manager console (certmgr.msc).
In the same way, you can download and install the list of the revoked (disallowed) certificates that have been removed from the Root Certificate Program. To do it, download the disallowedcertstl.cab file (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab), extract it, and add it to the Untrusted Certificates store with the command:
certutil -enterprise -f -v -AddStore disallowed "C:\PS\disallowedcert.stl"
How to Disable/Enable Automatic Root Certificates Update in Windows?
As we mentioned, Windows automatically updates root certificates. You can enable or disable certificate renewal in Windows through a GPO or the registry.
The Turn off Automatic Root Certificates Update option in this section allows you to disable automatic updating of root certificates through the Windows Update sites. By default, this policy is not configured and Windows always tries to automatically renew root certificates.
If this GPO option is not configured and the root certificates are not automatically renewed, check if this setting is manually enabled in the registry. Check the value of the registry parameter using PowerShell:
Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\SystemCertificates\AuthRoot' -Name DisableRootAutoUpdate
If the command returns that the value of the DisableRootAutoUpdate registry parameter is 1, then the updating of root certificates is disabled on your computer. To enable it, change the parameter value to 0.
How to remove a root certificate
If you really do not like a particular root Certificate Authority, then you can remove its root certificate. Be warned that doing so makes all certificates that are issued by that Certificate Authority untrusted, as well as all those of any of the ‘lesser’ CAs it has authorised. Removing these can have a very negative impact on your internet experience.
In the wake of the recent Google fake certificates fiasco, some people recommend removing Chinese CA’s. We stress, however, that doing so is entirely at your own risk.
We are using Windows 8.1, but the process should be pretty much the same on all versions of Windows.
2. Go to Tools (gear icon on top right) -> Internet Options -> Content tab -> Certificates -> Trusted Root Certification Authorities
3. Select the certificate you wish to remove, and hit ‘Remove’. Note that it is probably a very good idea to ‘Export’ a certificate for backup first so that you can ‘Restore’ it again later if needed.
Firefox (desktop versions only)
1. Open Firefox and go to Open Menu -> Options -> Advanced -> Certificates -> View Certificates
2. In the Certificates Manager window, click on the ‘Authorities’ tab, and you will see the list of authorized root CAs, together with the certificate(s) they have authorized below them
3. Click on a certificate that you don’t like, and hit ‘Delete or Distrust’
Hit OK if you are sure
To completely remove a given root CA, you must ‘Delete or Distrust’ all certificates it has authorized. As with removing Windows root certificates, we strongly advise backing up removed certificates first.
Android (5.1 Lollipop, but similar on all versions)
1. Go to Settings -> Security -> Trusted Credentials -> System tab. Touch the green tick next to the certificate you don’t like
2. Scroll down through certificate details to the bottom, and select ‘Disable’
Root certificates cannot be removed in iOS (personal certificates can be removed using the iPhone Configuration Utility).
Ubuntu (will be similar for most versions of Linux)
The simplest way to deselect CA’s is to open Terminal and run:
sudo dpkg-reconfigure ca-certificates
Press space to deselect a certificate.
The list of CAs is stored in the file /etc/ca-certificates.conf. This can be edited manually by entering:
(If you use dpkg-reconfigure this is done automatically).
Google Chrome
Использует общесистемные доверенные корневые центры сертификации.
Updating Trusted Root Certificates via GPO in an Isolated Environment
certutil.exe –generateSSTFromWU roots.sst
Then the root certificates from this file can be deployed via SCCM or PowerShell Startup script in GPO:
The second way is to download the actual Microsoft root certificates using the command:
Certutil -syncWithWU -f \\fr-dc01\SYSVOL\woshub.com\rootcert\
- Action: Update
- Hive: HKLM
- Key path: Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
- Value name: RootDirURL
- Type: REG_SZ
- Value data: file://\\fr-dc01\SYSVOL\woshub.com\rootcert\
It remains to link this policy on a computer`s OU and after updating GPO settings on the client, check for new root certificates in the certstore.
Firefox
Download Trusted Root Certificates from Windows Update
Certutil.exe CLI tool can be used to manage certificates (introduced in Windows 10, for Windows 7 is available as a separate update). It can be used to download an up-to-date list of root certificates from Windows Update and save it to an SST file.
To generate an SST file on a computer running Windows 10 or 11 and having direct access to the Internet, open the elevated command prompt and run the command:
certutil.exe -generateSSTFromWU C:\PS\roots.sst
Updated SST file. CertUtil: -generateSSTFromWU command completed successfully.
As a result, an SST file containing an up-to-date list of root certificates will appear in the target directory. Double-click to open it. This file is a container containing trusted root certificates.
As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.
Tip. The certutil -syncWithWU command can be used to generate individual certificate files. The certificates obtained in this way can be deployed to Windows devices using GPO.
You can use PowerShell script to install all certificates from the SST file and add them to the list of trusted root certificates on a computer:
Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority. In my example on Windows 11, the number of root certificates increased from 34 to 438.
A clean copy of Windows after installation contains only a small number of certificates in the root store. If the computer is connected to the Internet, the rest of the root certificates will be installed automatically (on demand) if your device access an HTTPS site or SSL certificate that has a fingerprint from Microsoft CTL in its trust chain. Therefore, as a rule, there is no need to immediately add all certificates that Microsoft trusts to the local certification store.
Problems with the CA system
The whole CA system therefore relies on trust, so how do you know these certificates can be trusted? Well, at the end of day you have to trust someone, and if you trust the developers of the software you use, then you sort of have to trust their certs.
At least that is the theory. As a recent Google warning over fake SSL certificates demonstrates, just one ‘rogue’ CA issuing unreliable certificates can cause havoc , and unfortunately Certificate Authorities can (and have been known to) issue fake certificates . The usual culprit for this is unscrupulous Governments putting pressure on CA companies, but criminals can also strong-arm CAs, and hackers can compromise their systems.
The Electronic Frontier Foundation (EFF) did start an SSL Observatory project with the aim of investigating all certificates used to secure the internet, inviting the public to send it certificates for analysis. As far as we are aware, however, this project never really got off the ground, and has lain dormant for years.
How to Update Trusted Root Certificates in Windows 7?
After installing a clean Windows 7 image, you may find that many modern programs and tools do not work on it as they are signed with new certificates. In particular, there have been complaints that .Net Framework 4.8 or Microsoft Visual Studio (vs_Community.exe) cannot be installed on Windows 7 SP1 x64 without updating root certificates.
The installer manifest failed signature validation.
NET Framework has not been installed because a certificate chain could not be built to a trusted root authority.
After that, you can use the certutil to generate an SST file with root certificates (on current or another computer):
certutil.exe -generateSSTFromWU c:\ps\roots.sst
Now you can import certificates into trusted ones:
Opera
Updating Root Certificates on Windows XP Using the Rootsupd. exe Tool
In Windows XP, the rootsupd.exe utility was used to update the computer`s root certificates. The list of root and revoked certificates in it was regularly updated. The tool was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.
- Download the rootsupd.exe utility using the following link
http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe. At the moment (January 2021) the link doesn’t work, Microsoft decided to remove it from the public. Today you can download the rootsupd.exe from the Kaspersky website — http://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip; - To install the Windows root certificates, just run the rootsupd.exe file. But we will try to examine its contents more carefully. Extract the certificates from the executable file with the command:
rootsupd.exe /c /t: C:\PS\rootsupd
- Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To remove or install certificates, you can use the following commands:
updroots.exe authroots.sst
updroots.exe -d delroots.sst
However, as you can see, these certificate files were created on April 4, 2013 (almost a year before the end of official support for Windows XP). Thus, since then the tool has not been updated and cannot be used to install up-to-date certificates.
But you can use cerutil tool in Windows 10/11 to download root.sst, copy that file in Windows XP and install the certificate using updroots.exe:
There is information that the updroots.exe tool is not recommended for use in modern builds of Windows 10 1803+ and Windows 11, as it can break the Microsoft root CA on a device.
In this article, we looked at several ways to update trusted root certificates on Windows network computers that are isolated from the Internet (disconnected environment).
Как добавить корневой сертификат в доверенные в Windows в веб браузеры
Chrome, Chromium, Opera и сделанные на их основе веб браузеры используют общесистемные корневые CA сертификаты. То есть для добавления новых доверенных CA достаточно добавить их в систему, как это показано выше.
Firefox использует исключительно своё хранилище. Для добавления корневых сертификатов CA в Firefox нужно сделать так:
- В настройках Firefox: Приватность и Защита → Сертификаты → Просмотр сертификатов → Центры сертификации:
Нажмите кнопку «Импортировать»:
Выберите файл с сертификатом.
Укажите, какие полномочия вы даёте этому сертификату:
So why all the fuss about Microsoft ‘sneakily’ adding root certificates?
If you do not trust Microsoft, then do not use Windows. Of course, if you are serious about security then you really should not trust Microsoft anyway, and it is very likely that some of the root certificates already shipped with Windows allow the NSA to perform MitM attacks on your computer should they so choose. These could in theory direct you to bogus websites that look genuine to your browser thanks to fake SSL certificates.
Those serious about security should use Linux (and preferably a hardened distro at that). It should also be stressed that no mobile OS can be considered in the slightest bit secure.
For what it’s worth, the list of new Certificate Authorities recently added to the Microsoft Certificate Trust List looks pretty harmless to us (many are simply upgrades to older certificates,) but who knows?
Managing Trusted Root Certificates in Windows 10 and 11
How to see the list of trusted root certificates on a Windows computer?
- To open the root certificate store of a computer running Windows 11/10/8.1/7 or Windows Server 2022/2019/2016, run the mmc.exe console;
- Select File -> Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins -> Add;
- Select that you want to manage certificates of local Computer account;
- Next -> OK -> OK;
- Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains the list of trusted root certificates on your computer.
In the mmc console, you can view information about any certificate or remove it from trusted ones.
You can also get a list of trusted root certificates with their expiration dates using PowerShell:
You can list the expired certificates, or which expire in the next 60 days:
For security reasons, it’s recommended that you periodically check the certificate trust store on your computer for suspicious and revoked certificates using the Sigcheck tool. This tool allows you to compare the list of certificates installed on the computer with the list of root certificates on the Microsoft website (you can download an offline file with up-to-date certificates authrootstl.cab).
You can manually transfer the root certificate file between Windows computers using the Export/Import options.
