33

And know which are not default ones installed by Microsoft?

NathaneilCapital
  • 441
  • 1
  • 4
  • 4

3 Answers3

26

To view your certificate stores, run certmgr.msc as described there. The "root" store contains the root CA, i.e. the CA which are trusted a priori. certmgr.msc shows you an aggregate view of all root CA which apply to the current user; internally, there are several relevant stores (the "local machine" stores apply to all users, the "current user" stores are specific to the current user; and there also are "enterprise" stores which are similar to "local machine" but meant to be filled automatically from the AD server of the current domain).

See this page for a list of all CA that Microsoft puts in Windows by default; any discrepancy would be a local variation. The list is occasionally updated, and this is propagated to your computer through the normal Windows update mechanisms.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Followed instructions, and see the lists of certificates in differrent folders, but the top level is "Certificate - Current User" and I did not find the "local machine" foder/node. Is this access right issue?I am the admin of the PC though. – NathaneilCapital Jan 10 '14 at 18:47
  • `certmgr.msc` shows an aggregate view -- i.e. what impacts the current user, and that's a merge of his "current user stores" and the "local machine stores". To view stores separately, use `mmc.exe` with the "certificate viewer" snap-in, which will give you that option. – Thomas Pornin Jan 10 '14 at 19:03
  • 3
    Be nice if there were a tool to automatically check the CA certificates are standard or not. – Petah Jan 05 '15 at 23:00
  • For anyone looking to add certs into the root CA, right-click "Trusted Root Certification Authorities" >> "All Tasks" >> "Import". – Pacerier Nov 06 '15 at 09:44
  • 2
    @Petah There is one: [`sigcheck`](https://technet.microsoft.com/en-us/sysinternals/bb897441), it is part of the Sysinternals Suite. If you run it from the `cmd` with `sigcheck -tv`, it does exactly that... – wb9688 Mar 25 '16 at 07:14
21

There is a Microsoft Sysinternals utility that does just that: SigCheck

It has many features and options but what you want is:

sigcheck -tv

and

sigcheck -tuv

-t[u][v] Dump contents of specified certificate store ('*' for all stores). Specify -tu to query the user store (machine store is the default). Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used instead, if present.

2072
  • 311
  • 2
  • 3
  • 1
    related: CertWatch essentially runs sigcheck -tu every hour and alerts you of any changes http://www.blaser.us/software/certwatch/ – Cheekysoft Jul 20 '16 at 08:11
1

There is an utility called RCC that checks Windows certificate authority storage and compares it to Microsoft Root Certificate Program list. Firefox certificate storage is also supported. But its authors are unknown and source code isn't published to date.
Discussion.

Ohnana
  • 4,737
  • 2
  • 23
  • 39
ayampolsky
  • 11
  • 1