23

Over time I have installed several additional trusted CA certificates to Windows trust store, sometimes because an app pushed me to do so, other times for reasons of development and testing.

Is there any command to restore the default (or currently MS recommended) trusted CA certificates and delete any other entries?

Community
  • 1
Jaime Hablutzel
  • 2,598
  • 3
  • 17
  • 17
  • I'm voting to close this question as off-topic because it should have been migrated to SuperUser at the time. – schroeder Dec 01 '19 at 21:41
  • 1
    @schroeder why this question become offtopic after 5 years? – qdinar Jun 27 '20 at 12:18
  • @qdinar because it is not about security, but about how to do something in Windows, It came to light when someone tried to answer it 5 years later. – schroeder Jun 27 '20 at 14:39
  • 1
    @schroeder how it is not about security? this is like https://security.stackexchange.com/questions/106345/check-root-certificates-and-certificate-authorities-on-new-pc . i come here from there. security implications of having bad certificates are described there. answers of this answer that. maybe you think that is also offtopic? – qdinar Jun 27 '20 at 21:02

3 Answers3

12

Theoretically, you could apply the following method:

  1. Delete all root CA certificates except the ones that are absolutely needed by Windows itself, as indicated here.

  2. Install the current list of trusted root CA from the current package. Note that validation of this package requires that you still trust one of the "necessary" root CA, which is why you must keep them in the first step.

I emphasize that I have not tested this method. As a preparatory step, you may want to first make a backup of all these certificates: run certmgr.msc, open the Root store, select them all (e.g. with Ctrl-A), then right-click and choose to export them all as a PKCS#7 file. That file will contain a copy of all the certificates, which should allow you to repair things, if the method above fails in some way. There again, the recovery is untested.

Be wary of the multiplicity of stores. certmgr.msc shows an aggregate view containing certificates from various sources ("physical stores"). To understand what you are about to do, in the certificate manager, right-click on the Certificates node (root node of the tree in the left pane), select View then Options, and select the Physical certificate stores box. This process is described in this blog entry (with screenshots).

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
8

I found the following simple method to remove the locally trusted CA certificates not present in the official and current Microsoft Certificate Trust List:

First download Sigcheck (https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck) and then execute:

>sigcheck.exe -tuv
... 
Listing valid certificates not rooted to the Microsoft Certificate Trust List:

User\Root:
   Test Purpose CA
        Cert Status:    Valid
        Valid Usage:    All
        Cert Issuer:    Some development Root CA
        Serial Number:  01
        Thumbprint:     9CB31B0AE15867B5E29C4F7E21FE195C2AF24FE3
        Algorithm:      sha1RSA
        Valid from:     2:10 PM 2/5/2015
        Valid to:       2:10 PM 2/5/2025
   LLAMA.PE Root CA - R2
        Cert Status:    Valid
        Valid Usage:    All
        Cert Issuer:    Some third party Root CA
        Serial Number:  01 E0 DA 86 CC 7D 58 ED D8 62 E6 47 A2
        Thumbprint:     1B4AEFF4FB8E2BEFEB3A8FE60D03D24269AB4A6B
        Algorithm:      sha256RSA
        Valid from:     7:00 PM 3/14/2017
        Valid to:       7:00 PM 3/14/2037
...

Then simply delete all the displayed CAs with something like certmgr.msc.

Notes

  • This method will only help to delete locally trusted CA certificates that don't exist in the Microsoft Certificate Trust List, but it won't install the Microsoft Certificate Trust List CAs not currently installed in the local store (e.g. the manually removed ones).
  • This checks the current user store, not the machine store. For checking the machine store, just omit the u in the arguments.
  • The output seems to include only valid certificates, e.g. I've observed that a locally trusted CA with a signature that Windows was unable to validate wasn't listed and I had to check it and remove it manually.

Credits to the following site, http://woshub.com/how-to-check-trusted-root-certification-authorities-for-suspicious-certs/.

Jaime Hablutzel
  • 2,598
  • 3
  • 17
  • 17
  • `I've observed that a locally trusted CA with a signature that Windows was unable to validate wasn't listed and I had to check it and remove it manually.` But isn't that a complete deal-breaker? Can't those certificates still pose a threat somehow? – gd1 Feb 21 '21 at 19:06
-1
  1. Create a VirtualBox VM or download a pre-made VM by microsoft (Premade VM will include a few extra certs for code signing and visual studio)
  2. Install Windows 10 here is a wrapper that uses the official Windows 10 Media Creation Tool, but it will include enterprise releases and serials pre-activating your ISO
  3. Load mmc.msc
  4. Add certificates snap-in
  5. Choose "computer"
  6. Note the certificates listed
  7. Export what you are missing and copy them to your main PC
  8. Back up & then delete every cert on your primary PC that you don't see in Windows 10 VM.
  9. Import VM Certs into primary windows system.

Ignore the votes if they are sabotaged, this is the only solution listed here to actually reset to default. I had a lot of illegitimate and distrusted certs in my trusted certificate list thanks to the Rootsupd.exe utility tutorial here. No bad cert detection tool, anti-virus or security software detected them. Thus I removed over 300 Trusted Root certs from my Windows 10 installation and have only 36 left without any issue. I did this because each certificate, even legit ones, increase the attack surface.

  1. Create a VirtualBox VM or download a pre-made VM by microsoft (Premade VM will include a few extra certs for code signing and visual studio)
  2. Install Windows 10 here is a wrapper that uses the official Windows 10 Media Creation Tool, but it will include enterprise releases and serials pre-activating your ISO
  3. Load mmc.msc
  4. Add certificates snap-in
  5. Choose "computer"
  6. Note the certificates listed
  7. Export what you are missing and copy them to your main PC
  8. Back up & then delete every cert on your primary PC that you don't see in Windows 10 VM.
  9. Import VM Certs into primary windows system.

This worked better for me than any other method listed above, as I had a lot of illegitimate and distrusted certs in my trusted certificate list thanks to the Rootsupd.exe utility tutorial here. No bad cert detection tool, anti-virus or security software detected them. Thus I removed over 300 Trusted Root certs from my Windows 10 installation and have only 36 left without any issue. I did this because each certificate, even legit ones, increase the attack surface.

Importing the entire list is not a reset to default, and is a potential security hazard, however if you want to import the entire list of 400 certs you may download the list from Windows Update:

In Powershell/CMD Run cd C:\ps\rootsupd\ then certutil.exe -generateSSTFromWU roots.sst

Then In Powershell:

$sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

Or

Import certs from Windows Update using just powershell:

cd c:\certs\
certutil.exe -generateSSTFromWU roots.sst
$sst = ( Get-ChildItem -Path C:\certs\roots.sst )
$sst = ( Get-ChildItem roots.sst )
$sst| Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
schroeder
  • 123,438
  • 55
  • 284
  • 319
Tyler
  • 417
  • 5
  • 12