1

I do have a provider that complains the trusted root certificates on our several windows server systems (2008, 2012, 2016, 2019) are outdated. I was not able to prove the opposite. For sure "Turn off Automatic Certificate Update" is not configured on any of those systems and thus the root storage should be updated.

First question: Anyway, is there a simple automated way (or even a slick tool) that would compare the actual installed trusted root certificates on a windows system against the newest trusted root on the internet?

I could

  • download the latest root certificates with "certutil -generateSSTFromWU WURoots.sst"
  • do some magic with the PowerShell *CERT* commands (see "Get-Command *CERT*")
  • do compare serial numbers, thumbprint, etc..

Yet, I am not really a programmer.

Perhaps there is a tool around which would do what I'd need?

Second question: Besides comparing, is there a simple way to force the root certificates to be updated? Yes, I could go the way with

  • certutil -generateSSTFromWU WURoots.sst
  • select the certificates I need and export it into an own .sst file
  • use Import-Certificate (or distribute over GPO)

There is surely a less complicated and more automated way?

Thanks Dan

I grok it
  • 51
  • 1
  • 7

2 Answers2

2

By default, root certificates are automatically updated through Windows Update.

You may have this feature disabled in your environment through GPO? You can check if the key below has been set, but it does not exist by default:

Get-ItemProperty HKLM:\Software\Policies\Microsoft\SystemCertificates\AuthRoot -Name DisableRootAutoUpdate

It also requires certain updates for 2008/2012 like KB3004394, so make sure you're up to date in general.

I don't recommend managing root certs manually, but you can easily view the existing certs using the Certificate provider like:

Get-ChildItem -Path Cert:\LocalMachine\CA\

And maybe you want to compare your local certificates to a remote machine:

# Get the list of local root/CA certificates
$localCerts = (Get-ChildItem -Path Cert:\LocalMachine\CA\)+(Get-ChildItem -Path Cert:\LocalMachine\Root\)

# Compare to the same certificates on a remote server
$result = Invoke-Command -ComputerName 'Server01' -ScriptBlock {
  $remoteCerts = (Get-ChildItem -Path Cert:\LocalMachine\CA\)+(Get-ChildItem -Path Cert:\LocalMachine\Root\)
  Compare-Object $using:localCerts $remoteCerts -Property thumbprint -PassThru
}

# Display certificates that don't match
$result | select SideIndicator,Thumbprint,FriendlyName,Subject

Here's an example comparing between win10 and Server 2016. You can see one of the differences is my local machine has a TPM module it trusts:

SideIndicator Thumbprint                               Subject                                                                                          
------------- ----------                               -------                                                                                          
=>            DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 CN=GeoTrust Global CA, O=GeoTrust Inc., C=US                                                     
<=            D4FFDB19BA590FFFAA34DB5F4B568706A2978436 CN=Microsoft TPM Root Certificate Authority 2014, O=Microsoft Corporation, L=Redmond, S=Washin...
Cpt.Whale
  • 4,501
  • 2
  • 13
  • 25
0

I am using SigCheck for this.

 sigcheck.exe -tv

it lists certificates not rooted in the Microsoft Certificate Trust list.

I use this from a PowerShell script to alert me about untrusted certificates.

Peter Hahndorf
  • 13,370
  • 9
  • 51
  • 67