All Windows versions have a built-in feature for automatically updating root certificates from the Microsoft websites. As part of the Microsoft Trusted Root Certificate Program, MSFT maintains and publishes a list of certificates for Windows clients and devices in its online repository. If the verified certificate in its certification chain refers to the root CA that participates in this program, the system will automatically download this root certificate from the Windows Update servers and add it to the trusted ones.
Windows requests a trusted root certificate lists (CTL) renewal once a week. If Windows doesn’t have a direct access to the Windows Update directory, the system won’t be able to update the root certificates, so a user may have some troubles when browsing websites (which SSL certificates are signed by an untrusted CA – see the article about the “Chrome SSL error: This site can’t provide a secure connection”), or with installing/running signed scripts and apps.
In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA on isolated networks or computers/servers without a direct Internet connection.
Managing Trusted Root Certificates in Windows 10
How to see the list of root certificates of a Windows computer?
- To open the root certificate store of a computer running Windows 10/8.1/7/Windows Server, start the mmc.exe console;
- Select File -> Add/Remove Snap-in, select Certificates (certmgr) in the list of snap-ins -> Add;
- Select that you want to manage certificates of local Computer account;
- Next -> OK -> OK;
- Expand the Certificates node -> Trusted Root Certification Authorities Store. This section contains the list of trusted root certificates on your computer.
You can also get a list of trusted root certificates with expiration dates using PowerShell:
Get-Childitem cert:\LocalMachine\root |format-list
You can list the expired certificates, or which expire in the next 30 days:
Get-ChildItem cert:\LocalMachine\root | Where {$_.NotAfter -lt (Get-Date).AddDays(40)}
In the mmc console, you can view information about any certificate or remove it from trusted ones.
You can manually transfer the root certificate file between Windows computers using the Export/Import function.
- You can export any certificate to a .CER file by clicking on it and selecting All Tasks -> Export;
- You can import this certificate on another computer using the option All Tasks -> Import.
Rootsupd.exe Utility
In Windows XP, the rootsupd.exe utility was used to update computer`s root certificates. The list of root and revoked certificates in it was regularly updated. The utility was distributed as a separate update KB931125 (Update for Root Certificates). Let’s see if we can use it now.
- Download the rootsupd.exe utility using the following link
http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe. At the moment (August 2, 2019) the link doesn’t work, maybe Microsoft decided to remove it from the public. Today you can download the rootsupd.exe from kaspersky.com website — http://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip; - To install the Windows root certificates, just run the rootsupd.exe file. But we will try to examine its contents more carefully. Extract the certificates from the executable file with the command:
rootsupd.exe /c /t: C:\PS\rootsupd
- Certificates are stored in SST files, like authroots.sst, delroot.sst, etc. To delete/install a certificate, you can use the following commands:
updroots.exe authroots.sst
updroots.exe -d delroots.sst
However, as you can see, these certificate files were created on April 4, 2013 (almost a year before the end of official support of Windows XP). Thus, since then the utility has not been updated and cannot be used to install up-to-date certificates. A little later we will need the updroots.exe file.
Certutil: Getting Latest Root Certificates from Windows Update
The latest version of the Certutil.exe tool for managing certificates (available in Windows 10), allows you to download from Windows Update and save the actual root certificates list to the SST file.
To generate an SST file, run this command with the administrator privileges on a computer running Windows 10 and having a direct access to the Internet:
certutil.exe -generateSSTFromWU roots.sst
As a result, an SST file containing up-to-date list of root certificates will appear in the target directory. Double-click to open it. This file is a container containing trusted root certificates.
As you can see, a familiar Certificate Management snap-in opens, from which you can export any of the certificates you have got. In my case, there have been 358 items in the list of certificates. Obviously, it is not rational to export the certificates and install them one by one.
certutil -syncWithWU. The certificates obtained in this way can be deployed on Windows clients using GPO. To install all the certificates from the SST file and add them to the list of trusted root certificates on a computer, you can use the PowerShell commands:
$sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
To install all certificates listed in the file, use the updroots.exe (it is located in the rootsupd.exe file, which was extracted in the previous section).
updroots.exe roots.sst
Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority.
The List of Root Certificates in STL Format
There is another way to get the list of root certificates from Microsoft website. To do it, download the file http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (updated twice a month). Using any archiver (or even Windows Explorer) unpack authrootstl.cab. It contains one file authroot.stl.
The Authroot.stl file is a container with a list of trusted certificates in Certificate Trust List format.
You can install this file in the system using the context menu of the STL file (Install CTL).
Or using certutil.exe tool:
certutil -addstore -f root authroot.stl
root "Trusted Root Certification Authorities" CTL 0 added to store. CertUtil: -addstore command completed successfully.
You can also import certificates using the certificate management console (Trust Root Certification Authorities -> Certificates -> All Tasks -> Import). Specify the path to your STL file with certificates.
After you have run the command, a new section Certificate Trust List appears in Trusted Root Certification Authorities container of the Certificate Manager console (certmgr.msc).
In the same way, you can download and install the list of the revoked (disallowed) certificates that have been removed from Root Certificate Program. To do it, download disallowedcertstl.cab (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab), unpack it and add to the Untrusted Certificates section using this command:
certutil -addstore -f disallowed disallowedcert.stl
Updating Root Certificates in Windows with GPO in an Isolated Environment
If you have the task of regularly updating root certificates in an Internet-isolated Active Directory domain, there is a slightly more complicated scheme for updating local certificate stores on domain joined computers using Group Policies. You can configure root certificate updates on user computers in the isolated Windows networks in several ways.
The first way assumes that you regularly manually download and copy to your isolated network a file with root certificates obtained as follows:
certutil.exe –generateSSTFromWU roots.sst
Then the certificates from this file can be distributed via SCCM or PowerShell logon script in GPO:
$sstStore = (Get-ChildItem -Path \\fr-dc01\SYSVOL\woshub.com\rootcert\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
The second way is to obtain the actual root certificates using the command:
Certutil -syncWithWU -f \\fr-dc01\SYSVOL\woshub.com\rootcert\
A number of root certificate files (CRT file format) will appear in the specified network shared folder, including files (authrootstl.cab, disallowedcertstl.cab, disallowedcert.sst, thumbprint.crt).
Then, using Group Policy Preference, you need to change the value of the RootDirURL parameter in the registry key HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate. This parameter should point to the shared network folder from which your Windows computers should receive new root certificates. Run the domain GPMC console, create a new GPO, switch to the edit policy mode and expand the section Computer Configuration -> Preferences -> Windows Settings -> Registry. Create a new registry property with the following settings:
- Action: Update
- Hive: HKLM
- Key path: Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
- Value name: RootDirURL
- Type: REG_SZ
- Value data: file://\\fr-dc01\SYSVOL\woshub.com\rootcert\
It remains to link this policy on a computer`s OU and after updating the policies to check for new root certificates in the certstore.
In this article, we looked at several ways to renew trusted root certificates on a Windows network that is isolated from the Internet.
16 comments
thanks for the very good article. And further what about using Powershell Import/Export-certificate ?
PoSh PKI module is available only since Windows Server 2012/ Win 8. To export all certs from trusted root certificate authorities on Windows machine on Windows 2008 r2/ Win 7 to the files you can use this script:
$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
$certs = get-childitem -path cert:\LocalMachine\AuthRoot
foreach($cert in $certs)
{
$hsh = $cert.GetCertHashString()
$path = “c:\certs\” + $hsh + “.der”
[System.IO.File]::WriteAllBytes($path, $cert.export($type) )
}
1. Install CTL does not exist as Context menu in Windows 10
2. certutil -addstore -f root authroot.stl
works OK, but then Microsoft Certificate Trust List Publisher shows error: “This certificate trust list is not valid. The certificate that signed the list is not valid
Apparently in your case, it’s easiest way to download the certificates from WU using the command:
certutil.exe -generateSSTFromWU roots.sst
Then you can import them using Import-Certificate cmdlet:
$sst = ( Get-ChildItem -Path C:\certs\roots.sst )
$sst| Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
Absolutely, that is exactly the way I done it
Still would like to understand where the error comes from & why…
Thank you! Reading how to do this on the MS site was pure obfuscation. Your method is so simple and 1/30th the size of MS completly useless article on doing the same.
Why would you post a url for root certificates from Microsoft over standard insecure http?
I was having trouble with this one as well until I realized that if you’re downloading certificates you might not get the HTTPS to establish without the certificates you need to download…
Would be nice if it was available via both HTTP and HTTPS though. My end user devices are behind a firewall that disallows HTTP but they can get to any HTTPS.
A lot of it is the redistribution licenses are tougher to get through than just hosting a verified file by https. But yeah, doesn’t make tons of sense.
Do you need disallowedcert.sst if you have disallowedcert.stl? Are they the same?
Sst and stl are two different file formats for transferring root certificates between computers. It is better to use disallowedcert.sst.
What makes SST better?
THREE things:
FIRST, on my Win 10 Pro 64-bit machine (version 1803), the ONLY .sst file I have is
Connected Devices Platform certificates.sst
in
C:\Users\[My Name]\AppData\Local\ConnectedDevicesPlatform
►Is that correct?
SECOND, after running certmgr.msc, I see a few lists of certificates, in which the two certificates that are issue BY my own computer TO my own computer are actually expired. What are they?
THIRD, which is how I found this excellent website, I am getting two to four AUDIT FAILURES on every reboot, Event 5061, for Cryptographic Operation, and they sometimes mention the same Microsoft Connected Devices Platform.
I have posted about these AUDIT FAILURES in detail at the following thread in technet – please go there to suggest answers:
https://social.technet.microsoft.com/Forums/windows/en-US/48425e2a-54c2-480d-8957-383415be2381/audit-failures-every-reboot-event-5061-cryptographic-operation-win-10-pro-64bit?forum=win10itprosetup
I have also received a possibly good hint at this link ABOUT CERTIFICATES POSSIBLY BEING RELATED but need more info:
https://social.technet.microsoft.com/Forums/windows/en-US/3e88df37-d718-4b1f-ac90-e06b597c0359/event-5061-audit-failures-every-reboot-cryptography-win-10-pro-64bit?forum=win10itprogeneral
WOuld appreciate your help – thanks.
Steam wasn’t working properly for me. Impossible to connect to the friend list. I had to run it in no-browser mode.
Then a video game (BDO) was failing at start: the DRM system couldn’t connect to endpoint.
Then another game was failing with no reason. No meaningful error message, no log.
And then I’ve check my certificates, noticed some were outdated, and found your post about how to do it. Guess what? Everything is fixed now. From Steam itself to other application issues. Thanks a lot!
This is very helpful, but it’s also a bit confusing about the authroot.stl file.
That isn’t a file that **contains** certificates – it really is just a **list** of certificates.
I’ve wasted days of testing based on that misunderstanding.
You need to get the actual certificates onto your device, which there seem to be many ways of accomplishing (and none that I’ve settled on yet.)
Anyhow, thanks for the info, and you might want to add some clarity around that.
Warning quote
“The rootsupd.exe (and the updroots.exe inside of it) are outdated and should not be used. In fact, they break the “Microsoft Root Certificate Authority” root certificate on modern systems (at least Windows 10 1803+). – Koraktor Jan 9 at 12:34″
Src: https://serverfault.com/questions/760874/get-the-latest-ctl-or-list-of-trusted-root-certificates#