You don't need all those root certificates

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,281
As of today, Windows trusts 322 root certificates issued by 122 different organizations from 47 countries. This number is quite high, and has been steadily growing over the last few years. And it turns out many of those certificates are not needed at all by the vast majority of Windows users, can be distrusted with no ill effects of any sort.

Each of these CAs is given tremendous power over your Internet traffic, so it makes great sense to minimize the number of CAs your computer trusts. One simple way to achieve this goal is to replace the default Windows list of root CAs with the much stricter Mozilla trust list, which includes 142 roots (52 organizations - 21 countries). An even stricter option is using the Google CTL, which currently includes just 127 root certificates (48 organizations - 21 countries). For the vast majority of users, applying either set is a great way to reduce your exposure to unnecessary CAs, with no negative impact whatsoever.

Replacing the default Windows list of root CAs with the Mozilla or Google trust lists can be done manually, but is extremely time-consuming and error prone. The free version of RootIQ(*) offers a much simpler way to perform this system change.

As of this writing, on a standard Windows 10 system, you will end up with 145 trusted roots (rather than 322 roots for the default Microsoft CTL)

(*) RootIQ, our own root certificate manager for Windows, is now available. A free version of RootIQ is available for home and evaluation use
Full article with screenshot and how-to:
What is your opinion on this?
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
GOOD. The fewer the certs, the less likelihood of ending up with one of those annoying event id 64--"your certificate w/thumbprint blah blah is ready to expire or has expired..." and you can't find the thing anywhere, not even with certmgr.msc.

One of these ancient features of Microsoft's that was in dire need of a refresh. Better late than never.
 
F

ForgottenSeer 85179

Expired Windows certificates must not be deleted

If one enters certificates in the Windows search, then "Manage computer certificates" are displayed, which require every Windows version, regardless of whether Windows 10, 8.1 or 7. The expiry date of the certificates is also displayed here.

Certificates are used for authentication and authorisation, i.e. for the security of the computer. This includes certificates that have already expired or will expire on 31 December 2020. These must not be deleted under any circumstances. In response to a request from Bleepingcomputer, Microsoft sent a link that is only described for Windows 7 and below, but is also valid for Windows 10.



Deleting such certificates can lead to Windows no longer working correctly. So if you are bored in the next few days and want to clean up your computer, simply steer clear of these certificates. Microsoft itself writes in the article:

Some certificates listed in the previous tables have expired. However, these certificates are required for backwards compatibility. Even if there is an expired trusted root certificate, the trusted root certificate must be validated for anything signed using that certificate before the expiry date. As long as expired certificates are not revoked, they can be used to validate anything signed before their expiry date.
Abgelaufene Windows Zertifikate darf man nicht löschen | Deskmodder.de
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top