• 1000003: Manually install the latest Microsoft root certs

    Home » Forums » Knowledge Base » 1000003: Manually install the latest Microsoft root certs

    Tags:

    Author
    Topic
    woody
    Manager
    February 4, 2017 at 5:38 pm #89555

    AKB1000003: Manually install the latest Microsoft root certs

    By VulturEMaN

    Published 4 Feb 2017 rev 1.0

    1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and save in c:\temp\

     2. Extract the files using the command c:\temp\rootsupd.exe /c /t:C:\temp\extroot

     3. from an elevated prompt run the following commands in this order:

     cd C:\temp\extroot\

     updroots.exe authroots.sst

     updroots.exe updroots.sst

     updroots.exe -l roots.sst

     updroots.exe -d delroots.sst

     

    Reply | Quote
    Viewing 3 reply threads
    Author
    Replies
    • anonymous
      Guest
      July 8, 2017 at 1:30 pm #123850

      The link in step 1 does not work. It comes back with a 404 File or directory not found error: “The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.” What is the correct links? Thanks.

      Reply | Quote
      • PKCano
        Manager
        July 8, 2017 at 3:47 pm #123868

        I will post when I have an answer.

        Reply | Quote
      • PKCano
        Manager
        July 8, 2017 at 7:28 pm #123884

        The link is now valid.

        1 user thanked author for this post.
        satrow
        Reply | Quote
        • anonymous
          Guest
          July 8, 2017 at 7:50 pm #123889

          Thank you very much!

          Reply | Quote
        • Kirsty
          Manager
          July 8, 2017 at 7:52 pm #123892

          Sadly, the hyperlinking change didn’t affect the 404 page not found error when trying to access rootsupd.exe. Even checking on search engines didn’t find a link that is currently working.

          Reply | Quote
        • satrow
          AskWoody MVP
          July 8, 2017 at 7:55 pm #123894

          It works fine for me, try refreshing the page with Ctrl held down and then try again?

          Reply | Quote
        • Kirsty
          Manager
          July 8, 2017 at 7:58 pm #123897

          No, that isn’t helping either… is there any chance it could be geo-blocked or some other oddity?

          Reply | Quote
        • satrow
          AskWoody MVP
          July 8, 2017 at 8:22 pm #123906

          Not if you’re getting a 404, I don’t think, doesn’t read like a routing issue either, strange. The URL doesn’t have any odd chars, spaces or anything?

          Try a middle-click or right-click > open in new tab… ?

          EDIT: it’s Shift + Refresh/Reload, sorry = forced refresh (reloads all the data for the page, instead of a normal refresh which would only reload the changed data, the rest it would load from disk cache).

          Reply | Quote
        • Kirsty
          Manager
          July 8, 2017 at 10:32 pm #123913

          Thanks, but giving it a bit of time let it “heal itself” without anything else needed – it’s working fine now. Just one of those things, I guess 😉

          1 user thanked author for this post.
          satrow
          Reply | Quote
        • PKCano
          Manager
          July 8, 2017 at 8:24 pm #123907

          I’m using Firefox 54.0.1 with AdBloc Plus, Disconnect and NoScript on a Mac, and it works OK for me. Maybe clean the cache and try again?

          1 user thanked author for this post.
          satrow
          Reply | Quote
    • Rydan
      AskWoody Lounger
      November 17, 2017 at 9:19 am #146050

      As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
      You could get the trusted and untrusted sst files and import those.
      (there are different options)

      Below I assume you have a C:\Temp (or make a location of your choice)

      Open a command Prompt; Run as Administrator
      untrusted:
      Run: certutil -syncwithwu  c:\Temp
      It should say something like: added xxx files, updated xxx files / certutil completed successfully
      Check to see if disallowedcert.sst is created
      trusted:
      Run: certutil -generateSSTFromWU c:\Temp\authroot.sst
      It should say something like: updates sst file / certutil completed successfully
      (try again on memory error = uncommon)

      make 2 powershell scripts:
      1. discert.ps1
      [reflection.assembly]::LoadWithPartialName(“System.Security”)
      $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
      $certs.import(“c:\temp\authroot.sst”)
      $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “AuthRoot”, LocalMachine
      $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
      $store.AddRange($certs)
      2. authcert.ps1
      [reflection.assembly]::LoadWithPartialName(“System.Security”)
      $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
      $certs.import(“c:\temp\disallowedcert.sst”)
      $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “Disallowed”, LocalMachine
      $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
      $store.AddRange($certs)

      place those 2 scripts in C:\Temp
      Open a powershell command prompt as administrator (or start powershell in same prompt)
      Run: .\discert.ps1
      Run: .\authcert.ps1

      Check:
      Open MMC.exe
      Click ctrl+M
      Add the Certificates mmc and select Computer account
      Check if the changes that Microsoft provided are added to the Untrusted Certificates folder, Third Party Root Certificates Authorities folder
      List:
      https://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx

      Ref.
      https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
      https://social.technet.microsoft.com/wiki/contents/articles/33315.microsoft-trusted-root-certificate-program-portal.aspx
      https://technet.microsoft.com/library/dn265983.aspx
      https://blogs.technet.microsoft.com/vishalagarwal/2009/08/13/adding-certificates-for-a-serialized-store-sst-file-to-an-actual-physical-store/

      2 users thanked author for this post.
      abbodi86, owdrtn
      Reply | Quote
    • owdrtn
      AskWoody Lounger
      April 23, 2019 at 5:22 am #829250
      Rydan wrote:

      As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
      You could get the trusted and untrusted sst files and import those.
      (there are different options)

      Awesome find @Rydan.. works flawless, thanks !
      Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.

      Thumbs up !!

      Reply | Quote
    • access-mdb
      AskWoody MVP
      April 23, 2019 at 8:32 am #839039

      As this thread was started in July 2017, how relevant is it now?

      Every day is the dawn of a new error

      Reply | Quote
      • EP
        AskWoody_MVP
        April 23, 2019 at 11:54 am #847155

        only owdrtn may answer that question

        the rootsupd.exe link from MS is now dead – always produce a 404 error message; I’ll get an archived version of the link from archive.org/web

        Reply | Quote
    Viewing 3 reply threads
    Reply To: 1000003: Manually install the latest Microsoft root certs

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

DON'T MISS OUT!
Subscribe to the AskWoody Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • All Forums

    • Recent Topics

    My Profile

    May 2022
    S M T W T F S
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2022 by AskWoody Tech LLC. All Rights Reserved.