Topic: 1000003: Manually install the latest Microsoft root certs @ AskWoody

1000003: Manually install the latest Microsoft root certs
Home » Forums » Knowledge Base » 1000003: Manually install the latest Microsoft root certs
- This topic has 15 replies, 9 voices, and was last updated 4 years, 1 month ago.
Tags: root cert update
Author

Topic
New Reply
woody
Manager

February 4, 2017 at 5:38 pm #89555
Options

Reply
Quote

AKB1000003: Manually install the latest Microsoft root certs

By VulturEMaN

Published 4 Feb 2017 rev 1.0

1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and save in c:\temp\

2. Extract the files using the command c:\temp\rootsupd.exe /c /t:C:\temp\extroot

3. from an elevated prompt run the following commands in this order:

cd C:\temp\extroot\

updroots.exe authroots.sst

updroots.exe updroots.sst

updroots.exe -l roots.sst

updroots.exe -d delroots.sst

Reply | Quote
Viewing 3 reply threads
Author

Replies
- anonymous
  Guest
  
  July 8, 2017 at 1:30 pm #123850
  Options
  
  Reply
  Quote
  
  The link in step 1 does not work. It comes back with a 404 File or directory not found error: “The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.” What is the correct links? Thanks.
  
  Reply | Quote
- PKCano
  Manager
  
  July 8, 2017 at 3:47 pm #123868
  Options
  
  Reply
  Quote
  
  I will post when I have an answer.
  
  Reply | Quote
  
  PKCano
  Manager
  
  July 8, 2017 at 7:28 pm #123884
  Options
  
  Reply
  Quote
  
  The link is now valid.
  
  1 user thanked author for this post.
  
  satrow
  
  Reply | Quote
  
  anonymous
  Guest
  
  July 8, 2017 at 7:50 pm #123889
  Options
  
  Reply
  Quote
  
  Thank you very much!
  
  Reply | Quote
  
  Kirsty
  Manager
  
  July 8, 2017 at 7:52 pm #123892
  Options
  
  Reply
  Quote
  
  Sadly, the hyperlinking change didn’t affect the 404 page not found error when trying to access rootsupd.exe. Even checking on search engines didn’t find a link that is currently working.
  
  Reply | Quote
  
  satrow
  AskWoody MVP
  
  July 8, 2017 at 7:55 pm #123894
  Options
  
  Reply
  Quote
  
  It works fine for me, try refreshing the page with Ctrl held down and then try again?
  
  Reply | Quote
  
  Kirsty
  Manager
  
  July 8, 2017 at 7:58 pm #123897
  Options
  
  Reply
  Quote
  
  No, that isn’t helping either… is there any chance it could be geo-blocked or some other oddity?
  
  Reply | Quote
  
  satrow
  AskWoody MVP
  
  July 8, 2017 at 8:22 pm #123906
  Options
  
  Reply
  Quote
  
  Not if you’re getting a 404, I don’t think, doesn’t read like a routing issue either, strange. The URL doesn’t have any odd chars, spaces or anything?
  
  Try a middle-click or right-click > open in new tab… ?
  
  EDIT: it’s Shift + Refresh/Reload, sorry = forced refresh (reloads all the data for the page, instead of a normal refresh which would only reload the changed data, the rest it would load from disk cache).
  
  Reply | Quote
  
  Kirsty
  Manager
  
  July 8, 2017 at 10:32 pm #123913
  Options
  
  Reply
  Quote
  
  Thanks, but giving it a bit of time let it “heal itself” without anything else needed – it’s working fine now. Just one of those things, I guess 😉
  
  1 user thanked author for this post.
  
  satrow
  
  Reply | Quote
  
  PKCano
  Manager
  
  July 8, 2017 at 8:24 pm #123907
  Options
  
  Reply
  Quote
  
  I’m using Firefox 54.0.1 with AdBloc Plus, Disconnect and NoScript on a Mac, and it works OK for me. Maybe clean the cache and try again?
  
  1 user thanked author for this post.
  
  satrow
  
  Reply | Quote
- Rydan
  AskWoody Lounger
  
  November 17, 2017 at 9:19 am #146050
  Options
  
  Reply
  Quote
  
  As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
  You could get the trusted and untrusted sst files and import those.
  (there are different options)
  
  …
  
  Below I assume you have a C:\Temp (or make a location of your choice)
  
  Open a command Prompt; Run as Administrator
  untrusted:
  Run: certutil -syncwithwu c:\Temp
  It should say something like: added xxx files, updated xxx files / certutil completed successfully
  Check to see if disallowedcert.sst is created
  trusted:
  Run: certutil -generateSSTFromWU c:\Temp\authroot.sst
  It should say something like: updates sst file / certutil completed successfully
  (try again on memory error = uncommon)
  
  make 2 powershell scripts:
  1. discert.ps1
  [reflection.assembly]::LoadWithPartialName(“System.Security”)
  $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
  $certs.import(“c:\temp\authroot.sst”)
  $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “AuthRoot”, LocalMachine
  $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
  $store.AddRange($certs)
  2. authcert.ps1
  [reflection.assembly]::LoadWithPartialName(“System.Security”)
  $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
  $certs.import(“c:\temp\disallowedcert.sst”)
  $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “Disallowed”, LocalMachine
  $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
  $store.AddRange($certs)
  
  place those 2 scripts in C:\Temp
  Open a powershell command prompt as administrator (or start powershell in same prompt)
  Run: .\discert.ps1
  Run: .\authcert.ps1
  
  Check:
  Open MMC.exe
  Click ctrl+M
  Add the Certificates mmc and select Computer account
  Check if the changes that Microsoft provided are added to the Untrusted Certificates folder, Third Party Root Certificates Authorities folder
  List:
  https://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx
  
  Ref.
  https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
  https://social.technet.microsoft.com/wiki/contents/articles/33315.microsoft-trusted-root-certificate-program-portal.aspx
  https://technet.microsoft.com/library/dn265983.aspx
  https://blogs.technet.microsoft.com/vishalagarwal/2009/08/13/adding-certificates-for-a-serialized-store-sst-file-to-an-actual-physical-store/
  
  2 users thanked author for this post.
  
  abbodi86, owdrtn
  
  Reply | Quote
- owdrtn
  AskWoody Lounger
  
  April 23, 2019 at 5:22 am #829250
  Options
  
  Reply
  Quote
  
  Rydan wrote:
  
  As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
  You could get the trusted and untrusted sst files and import those.
  (there are different options)
  
  Awesome find @Rydan.. works flawless, thanks !
  Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.
  
  Thumbs up !!
  
  Reply | Quote
- owdrtn
  AskWoody Lounger
  
  April 23, 2019 at 8:21 am #838468
  Options
  
  Reply
  Quote
  
  @Rydan
  However, i’m not sure to understand why not simply download the two cab file “authrootstl.cab” & “disallowedcertstl.cab” @
  http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab & http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  
  Then just extract the two stl files from those and install both stl files using either:
  the right-click context menu "Install CTL"
  or certutil: certutil -addstore -f root authroot.stl disallowedcert.stl ?
  
  Also, how one would goes updating the “Trusted Publisher” & the “Intermediate CA” stores ? are those not relevent/applicable to update as well ?
  
  Reply | Quote
- access-mdb
  AskWoody MVP
  
  April 23, 2019 at 8:32 am #839039
  Options
  
  Reply
  Quote
  
  As this thread was started in July 2017, how relevant is it now?
  
  Eliminate spare time: start programming PowerShell
  
  Reply | Quote
- EP
  AskWoody_MVP
  
  April 23, 2019 at 11:54 am #847155
  Options
  
  Reply
  Quote
  
  only owdrtn may answer that question
  
  the rootsupd.exe link from MS is now dead – always produce a 404 error message; I’ll get an archived version of the link from archive.org/web
  
  Reply | Quote
Viewing 3 reply threads

Reply To: 1000003: Manually install the latest Microsoft root certs
You can use BBCodes to format your content.
Your account can't use all available BBCodes, they will be stripped before saving.

Your information:
Name (required):

Mail (will not be published) (required):

Website:

Cancel

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.

Welcome to our unique respite from the madness.

It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

1000003: Manually install the latest Microsoft root certs

1 user thanked author for this post.

1 user thanked author for this post.

1 user thanked author for this post.

2 users thanked author for this post.

Plus Membership

Search Newsletters

Search Forums

View the Forum

Search for Topics

Recent Topics

Recent blog posts

Key Links

1000003: Manually install the latest Microsoft root certs

1 user thanked author for this post.

1 user thanked author for this post.

1 user thanked author for this post.

2 users thanked author for this post.

Plus Membership

Search Newsletters

Search Forums

View the Forum

Search for Topics

Recent Topics

Recent blog posts

Login and Registration

Key Links