6

I was just looking at my certificate store and saw a bunch of root CAs that look kind of suspicious; specifically numerous ones that:

  • have ALL CAPS text
  • use foreign languages/text
  • have extremely long expiration dates
  • include every certificate purpose possible

I strongly believe that some of these are bad (the Intermediate CA list looks clean, only the Root CA list looks bad.) However, there are enough certificates in the store to make investigating each one a real chore. (I see in the Event Log that Windows has not auto-updated the trusted third-party root list for over two weeks.)

Does anyone know of a way to verify certificates and weed out the bad ones (or at least to manually trigger an update)?

Synetech
  • 69,547

2 Answers2

2

You can quickly find out which ones weren't included originally by running sigcheck sigcheck.exe -tv *, which compares the root CA in your local computer against a list it downloads from Microsoft. Then it outputs the difference. Those certs which didn't come from Microsoft must have been introduced by yourself or a piece of software (i.e. antivirus for ssl inspection). In my case there was only one I didn't recognize and immediately disabled it.

darmual
  • 371
0

You can have a look at Debian's list of certificates, and weed out the ones that are not there; then apply the latest Microsoft CA update and add the ones you have installed manually. But as Debian says:

Please note that certificate authorities whose certificates are included in this package are not in any way audited for trustworthiness and RFC 3647 compliance, and that full responsibility to assess them belongs to the local system administrator.

tricasse
  • 681
  • 4
  • 9