Update for Root Certificates


  • Hi,

    Actually, due to proxy problems, we have prohibited Windows clients from automatically updating their Trusted Root Certificates Authorities. We manage this by deploying the "Update for Root Certificates [November 2009] (KB931125)" update using WSUS.

    Most of our workstations are Windows XP, and now we are working on deploying Windows 7. How can we handle the problem described above?
    I mean, the Update for Root Certificates is designed for Windows XP. I see that Windows 7 workstations won't receive it from WSUS. We tried to manually install the update on some machines and it worked, but it will be a hard task to update all machines manually :o)

    Tks in advance,

    Tuesday, March 23, 2010 3:11 PM

All replies

  • From what I see, this update is only needed for XP PCs and Windows 7 doesn't need it.

    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter
    Tuesday, March 23, 2010 3:52 PM
  • I thought that too, but some web sites here uses Usertrust certificates, and for some reason they are not trusted by an out-of-box Windows 7. The web sites are only trusted after manually installing the root certificate in the Trusted Root store (which is painfull for the users to do) or installing the update above.

    Wednesday, March 24, 2010 12:46 PM
  • You can download the package of KB931125, then use the command “DISM” to add this package to the Windows 7 image. Then you may deploy Windows 7 with this image.

    Operating System Package Servicing Commands

    Arthur Xie - MSFT
    Thursday, March 25, 2010 8:42 AM
  • Ok, it's a good option. But I still need to update the Windows 7 desktops that are already running :)

    The perfect resolution for me would be an "Update for Root Certificates" for Windows 7.

    Anyway, thanks for the info Arthur!

    Thursday, April 1, 2010 10:29 PM
  • Hi,

    Currently we cannot download the update package manually. It needs to be installed via Windows Update. Therefore as you mentioned, you need to install a sample Windows 7 system and apply that update. Then get the package from the system.

    Arthur Xie - MSFT
    Friday, April 2, 2010 4:55 AM
  • Sorry, but what's the name of this package on Windows 7? I've searched for it, but couldn't find it.

    We have WSUS here too, but again I couldn't find the package in it. The package "KB931125" is the one that's only for Windows XP...

    Thursday, April 8, 2010 2:32 PM
  • Just to let you know, I've managed how to solve this problem.

    On Windows XP, the "automatic update of root certificates" feature doesn't know how to work behind a proxy. It tries to directly download the new root certificates, but gets blocked by our proxy. To stop the crypt32 errors from showing up on Event Log, we disabled this feature (by GPO).

    But now on Windows 7 I've just found that this same feature knows that it's behind and proxy, and even asks for authentication. The update is automatically triggered every time the user faces a still unknow certification authority. I just re-enabled the feature on our domain policy, and it worked perfectly!

    Some additional info:

    BTW, now I'm pretty sure that there isn't any kind of KB931125 for Windows 7

    Monday, June 7, 2010 1:30 PM
  • Eduardo,

    I'm in agreement with you that KB931125 doesn't seem to be applicable to Windows 7. As far as I know, the CryptoAPI 2.0 (Cryptography Next Generation -- CNG) engine in Windows 7 automatically engages an update process in the background when it encounters a certificate that it doesn't trust. If the computer has access to the Internet, then it will automatically obtain the latest trusted root CA cab file from:

    What's interesting is that if I download the above file manually and then extract it, I can right-click on the certificate trust list (STL) file and click install CTL. So, theoretically if I needed to push the trusted root CA updates to systems that can't access the above URL, I could download this CAB file, and extract it. But then I think we're at a crossroads of two options:

    1) Import the STL file into a package distribution mechanism such as System Center Configuration Manager (SCCM) or a computer startup script in AD. In this case, my question is: what is the command line to import a STL file?

    2) Import the STL file into a group policy object (GPO) in Active Directory---into the trusted root CA list. Not sure if this option is possible without further testing.

    Another question: why is it that when I double-click the STL file, I see an error that says "This certificate trust list is not valid. The certificate that signed the list is not valid." Additionally, if I click "View Signature", and then click "View Certificate", and then click the "Certificate Path", I can see that the "Microsoft Certificate Trust List Publisher" certificate has an error: "This certificate does not appear to be valid for the selected purpose." What's the story with this error?


    Monday, January 10, 2011 9:52 PM
  • I haven't tested this yet... but maybe the following procedure will work. Can someone from Microsoft verify?

    First, a prerequisite: The "disconnected machine" needs to be able to access the following URLs to validate the certificate used to sign the STL:

    Next, download the file via:
    and extract the CAB file.

    Put the .STL file on your "disconnected machine". Then, run the following command from an elevated command prompt:
    certutil.exe -f authroot.stl

    Did that update the Root CAs for you?

    Tuesday, January 11, 2011 12:59 AM
  • For anyone else having this issue:

    - Any Windows 7 machines that are behind a firewall/proxy (that is blocking access to*), this problem may come up.

    - Work around: download and install the updated root certs.

    Tuesday, July 10, 2012 3:44 AM
  • I really would like to know what the issue is with Microsoft Certificate Trust List Publisher which shows error: “This certificate trust list is not valid. The certificate that signed the list is not valid" when installing

    certutil -addstore -f root authroot.stl

    Interesting writeup about the process is here, but no mention of that very error

    And also on Windows 10 there seems to be no right-click context menu for Install CTL

    One just needs to pick up bits from ie Windows 7

    Windows Registry Editor Version 5.00
    "Content Type"="application/"
    @="Certificate Trust List"

    But importing the .stl file does NOT import all certificates to TRCA branch. It only imports 9 certificates

    The only way to get all of them imported is to generate

    Certutil -generateSSTFromWU Rootstore.sst  

    and use it

    #IMPORT SST (Microsoft serialized certificate store)
    $file = ( Get-ChildItem -Path C:\temp\Rootstore.sst )
    $file | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

    • Edited by scerazy Tuesday, November 14, 2017 12:11 PM
    Tuesday, November 14, 2017 11:56 AM
  • Anybody?

    Or is it just one of the error that Microsoft made us get used to?

    Friday, November 17, 2017 8:27 PM
  • Nobody at all has anything to add?
    Saturday, November 25, 2017 9:28 AM