Topic: 1000003: Manually install the latest Microsoft root certs @ AskWoody

1000003: Manually install the latest Microsoft root certs

Posted on woody Comment on the AskWoody Lounge
Home › Forums › Knowledge Base › 1000003: Manually install the latest Microsoft root certs

Tagged: root cert update
- This topic has 15 replies, 9 voices, and was last updated 1 year, 2 months ago.
Viewing 4 reply threads
- Author
  
  Posts
- - February 4, 2017 at 5:38 pm #89555 Reply
    
    woody
    Da Boss
    
    AKB1000003: Manually install the latest Microsoft root certs
    
    By VulturEMaN
    
    Published 4 Feb 2017 rev 1.0
    
    1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and save in c:\temp\
    
    2. Extract the files using the command c:\temp\rootsupd.exe /c /t:C:\temp\extroot
    
    3. from an elevated prompt run the following commands in this order:
    
    cd C:\temp\extroot\
    
    updroots.exe authroots.sst
    
    updroots.exe updroots.sst
    
    updroots.exe -l roots.sst
    
    updroots.exe -d delroots.sst
  - July 8, 2017 at 1:30 pm #123850 Reply
    
    anonymous
    Guest
    
    The link in step 1 does not work. It comes back with a 404 File or directory not found error: “The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.” What is the correct links? Thanks.
    - July 8, 2017 at 3:47 pm #123868 Reply
      
      PKCano
      Da Boss
      
      I will post when I have an answer.
    - July 8, 2017 at 7:28 pm #123884 Reply
      
      PKCano
      Da Boss
      
      The link is now valid.
      
      1 user thanked author for this post.
      
      satrow
      
      July 8, 2017 at 7:50 pm #123889 Reply
      
      anonymous
      Guest
      
      Thank you very much!
      
      July 8, 2017 at 7:52 pm #123892 Reply
      
      Kirsty
      Da Boss
      
      Sadly, the hyperlinking change didn’t affect the 404 page not found error when trying to access rootsupd.exe. Even checking on search engines didn’t find a link that is currently working.
      
      July 8, 2017 at 7:55 pm #123894 Reply
      
      satrow
      AskWoody MVP
      
      It works fine for me, try refreshing the page with Ctrl held down and then try again?
      
      July 8, 2017 at 7:58 pm #123897 Reply
      
      Kirsty
      Da Boss
      
      No, that isn’t helping either… is there any chance it could be geo-blocked or some other oddity?
      
      July 8, 2017 at 8:22 pm #123906 Reply
      
      satrow
      AskWoody MVP
      
      Not if you’re getting a 404, I don’t think, doesn’t read like a routing issue either, strange. The URL doesn’t have any odd chars, spaces or anything?
      
      Try a middle-click or right-click > open in new tab… ?
      
      EDIT: it’s Shift + Refresh/Reload, sorry = forced refresh (reloads all the data for the page, instead of a normal refresh which would only reload the changed data, the rest it would load from disk cache).
      
      July 8, 2017 at 10:32 pm #123913 Reply
      
      Kirsty
      Da Boss
      
      Thanks, but giving it a bit of time let it “heal itself” without anything else needed – it’s working fine now. Just one of those things, I guess 😉
      
      1 user thanked author for this post.
      
      satrow
      
      July 8, 2017 at 8:24 pm #123907 Reply
      
      PKCano
      Da Boss
      
      I’m using Firefox 54.0.1 with AdBloc Plus, Disconnect and NoScript on a Mac, and it works OK for me. Maybe clean the cache and try again?
      
      1 user thanked author for this post.
      
      satrow
  - November 17, 2017 at 9:19 am #146050 Reply
    
    Rydan
    AskWoody Lounger
    
    As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
    You could get the trusted and untrusted sst files and import those.
    (there are different options)
    
    …
    
    Below I assume you have a C:\Temp (or make a location of your choice)
    
    Open a command Prompt; Run as Administrator
    untrusted:
    Run: certutil -syncwithwu c:\Temp
    It should say something like: added xxx files, updated xxx files / certutil completed successfully
    Check to see if disallowedcert.sst is created
    trusted:
    Run: certutil -generateSSTFromWU c:\Temp\authroot.sst
    It should say something like: updates sst file / certutil completed successfully
    (try again on memory error = uncommon)
    
    make 2 powershell scripts:
    1. discert.ps1
    [reflection.assembly]::LoadWithPartialName(“System.Security”)
    $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
    $certs.import(“c:\temp\authroot.sst”)
    $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “AuthRoot”, LocalMachine
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
    $store.AddRange($certs)
    2. authcert.ps1
    [reflection.assembly]::LoadWithPartialName(“System.Security”)
    $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
    $certs.import(“c:\temp\disallowedcert.sst”)
    $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “Disallowed”, LocalMachine
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
    $store.AddRange($certs)
    
    place those 2 scripts in C:\Temp
    Open a powershell command prompt as administrator (or start powershell in same prompt)
    Run: .\discert.ps1
    Run: .\authcert.ps1
    
    Check:
    Open MMC.exe
    Click ctrl+M
    Add the Certificates mmc and select Computer account
    Check if the changes that Microsoft provided are added to the Untrusted Certificates folder, Third Party Root Certificates Authorities folder
    List:
    https://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx
    
    Ref.
    https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
    https://social.technet.microsoft.com/wiki/contents/articles/33315.microsoft-trusted-root-certificate-program-portal.aspx
    https://technet.microsoft.com/library/dn265983.aspx
    https://blogs.technet.microsoft.com/vishalagarwal/2009/08/13/adding-certificates-for-a-serialized-store-sst-file-to-an-actual-physical-store/
    
    1 user thanked author for this post.
    
    owdrtn
  - April 23, 2019 at 5:22 am #829250 Reply
    
    owdrtn
    AskWoody Lounger
    
    Rydan wrote:
    
    As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
    You could get the trusted and untrusted sst files and import those.
    (there are different options)
    
    Awesome find @Rydan.. works flawless, thanks !
    Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.
    
    Thumbs up !!
    - April 23, 2019 at 8:21 am #838468 Reply
      
      owdrtn
      AskWoody Lounger
      
      @Rydan
      However, i’m not sure to understand why not simply download the two cab file “authrootstl.cab” & “disallowedcertstl.cab” @
      http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab & http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      
      Then just extract the two stl files from those and install both stl files using either:
      the right-click context menu "Install CTL"
      or certutil: certutil -addstore -f root authroot.stl disallowedcert.stl ?
      
      Also, how one would goes updating the “Trusted Publisher” & the “Intermediate CA” stores ? are those not relevent/applicable to update as well ?
  - April 23, 2019 at 8:32 am #839039 Reply
    
    access-mdb
    AskWoody MVP
    
    As this thread was started in July 2017, how relevant is it now?
    - April 23, 2019 at 11:54 am #847155 Reply
      
      EP
      AskWoody_MVP
      
      only owdrtn may answer that question
      
      the rootsupd.exe link from MS is now dead – always produce a 404 error message; I’ll get an archived version of the link from archive.org/web
- Author
  
  Posts
Viewing 4 reply threads

Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

Reply To: 1000003: Manually install the latest Microsoft root certs
You can use BBCodes to format your content.
Your account can't use Advanced BBCodes, they will be stripped before saving.

Cancel

Welcome to our unique respite from the madness.

It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.