News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • 1000003: Manually install the latest Microsoft root certs

    Home Forums Knowledge Base 1000003: Manually install the latest Microsoft root certs

    Viewing 4 reply threads
    • Author
      Posts
      • #89555 Reply
        woody
        Da Boss

        AKB1000003: Manually install the latest Microsoft root certs

        By VulturEMaN

        Published 4 Feb 2017 rev 1.0

        1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and save in c:\temp\

         2. Extract the files using the command c:\temp\rootsupd.exe /c /t:C:\temp\extroot

         3. from an elevated prompt run the following commands in this order:

         cd C:\temp\extroot\

         updroots.exe authroots.sst

         updroots.exe updroots.sst

         updroots.exe -l roots.sst

         updroots.exe -d delroots.sst

         

      • #123850 Reply
        anonymous
        Guest

        The link in step 1 does not work. It comes back with a 404 File or directory not found error: “The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.” What is the correct links? Thanks.

        • #123868 Reply
          PKCano
          Da Boss

          I will post when I have an answer.

        • #123884 Reply
          PKCano
          Da Boss

          The link is now valid.

          1 user thanked author for this post.
          • #123889 Reply
            anonymous
            Guest

            Thank you very much!

          • #123892 Reply
            Kirsty
            Da Boss

            Sadly, the hyperlinking change didn’t affect the 404 page not found error when trying to access rootsupd.exe. Even checking on search engines didn’t find a link that is currently working.

            • #123894 Reply
              satrow
              AskWoody MVP

              It works fine for me, try refreshing the page with Ctrl held down and then try again?

              • #123897 Reply
                Kirsty
                Da Boss

                No, that isn’t helping either… is there any chance it could be geo-blocked or some other oddity?

              • #123906 Reply
                satrow
                AskWoody MVP

                Not if you’re getting a 404, I don’t think, doesn’t read like a routing issue either, strange. The URL doesn’t have any odd chars, spaces or anything?

                Try a middle-click or right-click > open in new tab… ?

                EDIT: it’s Shift + Refresh/Reload, sorry = forced refresh (reloads all the data for the page, instead of a normal refresh which would only reload the changed data, the rest it would load from disk cache).

              • #123913 Reply
                Kirsty
                Da Boss

                Thanks, but giving it a bit of time let it “heal itself” without anything else needed – it’s working fine now. Just one of those things, I guess 😉

                1 user thanked author for this post.
            • #123907 Reply
              PKCano
              Da Boss

              I’m using Firefox 54.0.1 with AdBloc Plus, Disconnect and NoScript on a Mac, and it works OK for me. Maybe clean the cache and try again?

              1 user thanked author for this post.
      • #146050 Reply
        Rydan
        AskWoody Lounger

        As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
        You could get the trusted and untrusted sst files and import those.
        (there are different options)

        Below I assume you have a C:\Temp (or make a location of your choice)

        Open a command Prompt; Run as Administrator
        untrusted:
        Run: certutil -syncwithwu  c:\Temp
        It should say something like: added xxx files, updated xxx files / certutil completed successfully
        Check to see if disallowedcert.sst is created
        trusted:
        Run: certutil -generateSSTFromWU c:\Temp\authroot.sst
        It should say something like: updates sst file / certutil completed successfully
        (try again on memory error = uncommon)

        make 2 powershell scripts:
        1. discert.ps1
        [reflection.assembly]::LoadWithPartialName(“System.Security”)
        $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
        $certs.import(“c:\temp\authroot.sst”)
        $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “AuthRoot”, LocalMachine
        $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
        $store.AddRange($certs)
        2. authcert.ps1
        [reflection.assembly]::LoadWithPartialName(“System.Security”)
        $certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
        $certs.import(“c:\temp\disallowedcert.sst”)
        $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “Disallowed”, LocalMachine
        $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
        $store.AddRange($certs)

        place those 2 scripts in C:\Temp
        Open a powershell command prompt as administrator (or start powershell in same prompt)
        Run: .\discert.ps1
        Run: .\authcert.ps1

        Check:
        Open MMC.exe
        Click ctrl+M
        Add the Certificates mmc and select Computer account
        Check if the changes that Microsoft provided are added to the Untrusted Certificates folder, Third Party Root Certificates Authorities folder
        List:
        https://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx

        Ref.
        https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
        https://social.technet.microsoft.com/wiki/contents/articles/33315.microsoft-trusted-root-certificate-program-portal.aspx
        https://technet.microsoft.com/library/dn265983.aspx
        https://blogs.technet.microsoft.com/vishalagarwal/2009/08/13/adding-certificates-for-a-serialized-store-sst-file-to-an-actual-physical-store/

        2 users thanked author for this post.
      • #829250 Reply
        owdrtn
        AskWoody Lounger

        As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
        You could get the trusted and untrusted sst files and import those.
        (there are different options)

        Awesome find @Rydan.. works flawless, thanks !
        Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.

        Thumbs up !!

      • #839039 Reply
        access-mdb
        AskWoody MVP

        As this thread was started in July 2017, how relevant is it now?

        • #847155 Reply
          EP
          AskWoody_MVP

          only owdrtn may answer that question

          the rootsupd.exe link from MS is now dead – always produce a 404 error message; I’ll get an archived version of the link from archive.org/web

    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: 1000003: Manually install the latest Microsoft root certs

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.