Microsoft provides Certificate/CRL updates offline as well, known as
CTL Microsoft Trusted Root Program Updates
You can download the certificate and CRL updates regularly and update the system.
Below links will be helpful:
Configure Trusted root
Microsoft Trusted root program
authrootstl.cab is generally provided by Microsoft for updates.
But this is not the only way to get the certificates/CRL updates. Certificates generally contains information like Policy, thumbprints, Certificate Issuer, OCSP URL, CRL Distribution Point
etc. These parameters can be used to update the certificate manually or automatically.
For e.g., below are the sample scripts in PowerShell and Bash for verifying the certificate.
Script will only work if certificate has OCSP URL/CRL distribution point available.
Scripts are just for examples and not thoroughly tested.
PowerShell:
$certData = Get-ChildItem -Path Cert:\LocalMachine\<STORE> | where {! $_.PSIsContainer}
foreach ($cert in $certData)
{
$thumbprint=$cert.Thumbprint
Export-Certificate -Cert Cert:\LocalMachine\<STORE>\$thumbprint -FilePath C:\Temp\$thumbprint.crt
certutil.exe -verify C:\Temp\$thumbprint.crt
}
Change STORE with windows certificate store list.
Bash:
for certs in $(find <path_to_cert_dir> -type f)
do
ocsp_url=$(openssl.exe x509 -in $certs -noout -ocsp_uri)
openssl ocsp -issuer <cert_chain.cer> -cert $certs -text -url $ocsp_url > /tmp/output.ocsp
done
Now process the above output of ocsp as per requirements.
All certificates may not contain OCSP URL/CRL distribution points so you may have to work with subject or thumbprint and fetch the certificate update manually from CA repository.
