Updating root certificates

by Mitch Tulloch [Published on 29 Aug. 2011 / Last Updated on 29 Aug. 2011]

How to determine what root certificates are supported by Windows.

Windows supports a lot of different root (CA) certificates from different publishers, but only those that are needed are downloaded and installed in the certificate store. If you plan on purchasing digital certificates for your IIS servers, it's a good idea to check first to see if the certificate you plan on purchasing will be trusted on Windows platforms.

To determine what root certificates are available for download by Windows, see the list of Windows Root Certificate Program Members available from http://download.microsoft.com/download/1/4/f/14f7067b-69d3-473a-ba5e-70d04aea5929/windows%20root%20certificate%20program%20members%20november%202009.pdf. When Windows needs to install a new root certificate from this list, it opens a connection to Windows Update and downloads the root certificate it needs and logs events with source CAPI2 and IDs 4100 and 4097 in the Windows Event logs. After installing the certificate you purchased on your Web servers, check this log to make sure Windows has downloaded the root certificate needed to trust the certificate you purchased.

If you have feedback concerning this tip, please email me. And be sure to check out my website!

See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links