Get the latest CTL or list of trusted root certificates

38,302

Solution 1

I found the instructions at the bottom of this page to be useful.

Specifically, running

    CertUtil –generateSSTFromWU Rootstore.sst

Gave me a file with all the needed Certs. I then was able to transfer that Rootstore.sst file to another machine, open the file and install the desired certs from it.

When opening the file in Certmgr I'm able to see all the certs, I can then add any that I need (to install Visual Studio 2015 on an offline Windows 7 box, I needed the "Microsoft Root Certificate Authority 2010" and "Microsoft Root Certificate Authority 2011") by double clicking to open them, then clicking the install button. However, when I select "Automatically select the certificate store based on the type of certificate" it didn't put these in the trusted root. Instead I had to manually pick the certificate store and then select "Trusted Root Certification Authorities".

Solution 2

The article at https://netflex.nl/automatische-ca-root-updates-op-windows/ suggests that you download the root certificates with rootsupd.exe, available at http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe. I'm surprised though that the exe is not signed.
Use at your own risk.

Solution 3

Our team actually just developed a tool to automatically update the root certificates on Windows 10, Server 2012/2016/2019.

It's free.

https://asher.tools/root-certificate-updater

38,302

kimo pryvt

Love all technology related subjects.

Updated on September 18, 2022

Comments

kimo pryvt almost 2 years
I need to implement a service that does not start because the certificate cannot be validated. This certificate have a root ca that was recently created, so my windows 7 machines does not trust in this ca. My machines does not have internet access and can't download from windows update the list of trusted root certificates (CTL)
```
https://technet.microsoft.com/en-us/library/dn265983.aspx
```
In this technet article say that this CTL can be downloaded from Microsoft download center but I have searched and I just found a KB of 2013 that contains the CTL.

My question is ¿where I can find the latest version of this list of trusted certificated?

Note: I cant add a certificate manually or via script
- Michael Hampton over 8 years
  
  The Technet article explains several methods you can use to download the certificates. Have you read the complete article?
- kimo pryvt over 8 years
  
  yes I have readed it and have understand that there are two methods to update via a server os a package created with iexpress that contains the list of valid certificates or a web server.
- kimo pryvt over 8 years
  
  what i need is one of those iexpress package that contains the list, that is supposedly in Microsoft downloads
- Jofre over 8 years
  
  What if you just push the Root CA used to generate the server certificate to the Win7 client? This should be enough to validate the service
- kimo pryvt over 8 years
  
  by adding the certificate manually works fine but i can't do this because the company that I am working requires that the CTL must be updated by this microsoft update
Paul Stelian almost 6 years

404 error on the EXE
Koraktor over 5 years

The rootsupd.exe (and the updroots.exe inside of it) are outdated and should not be used. In fact, they break the "Microsoft Root Certificate Authority" root certificate on modern systems (at least Windows 10 1803+).