Updating root certificates

by Mitch Tulloch [Published on 29 Aug. 2011 / Last Updated on 29 Aug. 2011]

How to determine what root certificates are supported by Windows.

Windows supports a lot of different root (CA) certificates from different publishers, but only those that are needed are downloaded and installed in the certificate store. If you plan on purchasing digital certificates for your IIS servers, it's a good idea to check first to see if the certificate you plan on purchasing will be trusted on Windows platforms.

To determine what root certificates are available for download by Windows, see the list of Windows Root Certificate Program Members available from http://download.microsoft.com/download/1/4/f/14f7067b-69d3-473a-ba5e-70d04aea5929/windows%20root%20certificate%20program%20members%20november%202009.pdf. When Windows needs to install a new root certificate from this list, it opens a connection to Windows Update and downloads the root certificate it needs and logs events with source CAPI2 and IDs 4100 and 4097 in the Windows Event logs. After installing the certificate you purchased on your Web servers, check this log to make sure Windows has downloaded the root certificate needed to trust the certificate you purchased.

If you have feedback concerning this tip, please email me. And be sure to check out my website!

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links