In all Windows versions, starting from Windows 7, there is Automatic Root Certificate Update feature that performs updates of root certificates from Microsoft website. As a part of Microsoft Trusted Root Certificate Program, MSFT maintains and publishes the list of certificates for Windows clients and devices. If the verified certificate in the certification chain refers to a root CA that participates in this program, the system will automatically download this root certificate from Windows Update and add it to trusted.
If Windows doesn’t have a direct access to Windows Update directory, the system won’t be able to update a root certificate, so a user may have some troubles with opening websites (which SSL certificates are signed by an untrusted CA) or with installation/running apps or signed scripts.
In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA on isolated systems or systems without the direct access to the Internet.
In Windows XP, rootsupd.exe utility was used to update root certificates. The list of root and revoked certificates in it was regularly updated. The utility was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.
- Download rootsupd.exe.
- To install a certificate, it’s enough to run a file. But we’ll try to study its contents in detail and unpack it with this command:
rootsupd.exe /c /t: C:\PS\rootsupd
- Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To delete/install a certificate, you can use the following commands:
updroots.exe -d delroots.sst
However, as you can see, these files were created on April, 4, 2013 (almost a year before the end of official support of Windows XP). Thus, since then the utility has not been updated and cannot be used to install up-to-date certificates.
How to Get Root Certificates from Windows Update Using Certutil
The latest version of the Certutil utility for managing and working with certificates (available in Windows 10), allows you to download and save in the SST file an up-to-date list of root certificates.
To generate an SST file, run this command with the administrator privileges on a computer running Windows 10 and having a direct access to the Internet:
certutil.exe -generateSSTFromWU roots.sst
As a result, an SST file containing up-to-date list of certificates will appear in the target directory. Double-click to open it. This file is a container of certificates.
As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.
To install all certificates listed in the file, use updroots.exe (it is located in the archive rootsupd.exe we unpacked in the previous section).
Install the certificates from the SST file with the following command:
Run certmgr.msc and make sure that all certificates have been added to the Trusted Root Certification Authority.
The List of Root Certificates in STL Format
There is another way to get the list of certificates from Microsoft website. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any decompression program (or Windows Explorer) unpack authrootstl.cab. It contains one file authroot.stl.
Authroot.stl is a container for the list of trusted certificates in Certificate Trust List format.
You can install this file in the system using the context menu of the STL file (Install CTL).
Or using certutil:
certutil -addstore -f root authroot.stl
After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authorities container of the Certificate Manager console (certmgr.msc).
In the same way, you can download and install the list of the revoked certificates that have been removed from Root Certificate Program. To do it, download disallowedcertstl.cab (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab),unpack it and add to Untrusted Certificates section using this command:
certutil -addstore -f disallowed disallowedcert.stl
In this article, we looked at some simplest ways to update the list of root certificates on an Internet-isolated Windows system. If you have to regularly update root certificates in a domain not connected to an external network, there is a more complex means to update local certificate stores on domain computers using GPO. We’ll discuss it in detail in one of the following articles.