Posted on August 16, 2017 · Posted in Windows 10, Windows 7

Updating List of Trusted Root Certificates in Windows 10 / 7

In all Windows versions, starting from Windows 7, there is Automatic Root Certificate Update feature that performs updates of root certificates from Microsoft website. As a part of Microsoft Trusted Root Certificate Program, MSFT maintains and publishes the list of certificates for Windows clients and devices. If the verified certificate in the certification chain refers to a root CA that participates in this program, the system will automatically download this root certificate from Windows Update and add it to trusted.

If Windows doesn’t have a direct access to Windows Update directory, the system won’t be able to update a root certificate, so a user may have some troubles with opening websites (which SSL certificates are signed by an untrusted CA) or with installation/running apps or signed scripts.

In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA on isolated systems or systems without the direct access to the Internet.

Note. If users access the Internet through a proxy server, Microsoft recommends to configure for user’s computers a direct access (bypass) to Microsoft website. This allow to automatically update the root certificates on computers. However, it isn’t always possible or applicable due to corporate restrictions.

Rootsupd.exe

In Windows XP, rootsupd.exe utility was used to update root certificates. The list of root and revoked certificates in it was regularly updated. The utility was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.

  • Download rootsupd.exe.
  • To install a certificate, it’s enough to run a file. But we’ll try to study its contents in detail and unpack it with this command: rootsupd.exe /c /t: C:\PS\rootsupdrootsupd.exe
  • Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To delete/install a certificate, you can use the following commands:
    updroots.exe authroots.sst
    updroots.exe -d delroots.sst

However, as you can see, these files were created on April, 4, 2013 (almost a year before the end of official support of Windows XP). Thus, since then the utility has not been updated and cannot be used to install up-to-date certificates.

How to Get Root Certificates from Windows Update Using Сertutil

The latest version of the Сertutil utility for managing and working with certificates (available in Windows 10), allows you to download and save in the SST file an up-to-date list of root certificates.
To generate an SST file, run this command with the administrator privileges on a computer running Windows 10 and having a direct access to the Internet:

certutil.exe -generateSSTFromWU roots.sst

certutil.exe -generateSSTFromWU roots.sst

As a result, an SST file containing up-to-date list of certificates will appear in the target directory. Double-click to open it. This file is a container of certificates.

roots.sst list of trusted MSFT root certificates

As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.

Tip. To generate individual certificate files, use the command certutil -syncWithWU. The certificates you get this way can be distributed among the clients using GPO.

To install all certificates listed in the file, use updroots.exe (it is located in the archive rootsupd.exe we unpacked in the previous section).

Install the certificates from the SST file with the following command:

updroots.exe roots.sst

certmgr trusted root certificates

Run certmgr.msc and make sure that all certificates have been added to the Trusted Root Certification Authority.

The List of Root Certificates in STL Format

There is another way to get the list of certificates from Microsoft website. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any decompression program (or Windows Explorer) unpack authrootstl.cab. It contains one file authroot.stl.

authroot.stl.

Authroot.stl is a container for the list of trusted certificates in Certificate Trust List format.

Certification Trust List

You can install this file in the system using the context menu of the STL file (Install CTL).

Install CTL

Or using certutil:

certutil -addstore -f root authroot.stl

After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authorities container of the Certificate Manager console (certmgr.msc).

certmgr Microsoft Certificate Trust List Publisher

In the same way, you can download and install the list of the revoked certificates that have been removed from Root Certificate Program. To do it, download disallowedcertstl.cab (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab),unpack it and add to Untrusted Certificates section using this command:

certutil -addstore -f  disallowed disallowedcert.stl

In this article, we looked at some simplest ways to update the list of root certificates on an Internet-isolated Windows system. If you have to regularly update root certificates in a domain not connected to an external network, there is a more complex means to update local certificate stores on domain computers using GPO. We’ll discuss it in detail in one of the following articles.

Previous:
Next:
Related Articles