Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,281
Full article with screenshot and how-to:As of today, Windows trusts 322 root certificates issued by 122 different organizations from 47 countries. This number is quite high, and has been steadily growing over the last few years. And it turns out many of those certificates are not needed at all by the vast majority of Windows users, can be distrusted with no ill effects of any sort.
Each of these CAs is given tremendous power over your Internet traffic, so it makes great sense to minimize the number of CAs your computer trusts. One simple way to achieve this goal is to replace the default Windows list of root CAs with the much stricter Mozilla trust list, which includes 142 roots (52 organizations - 21 countries). An even stricter option is using the Google CTL, which currently includes just 127 root certificates (48 organizations - 21 countries). For the vast majority of users, applying either set is a great way to reduce your exposure to unnecessary CAs, with no negative impact whatsoever.
Replacing the default Windows list of root CAs with the Mozilla or Google trust lists can be done manually, but is extremely time-consuming and error prone. The free version of RootIQ(*) offers a much simpler way to perform this system change.
As of this writing, on a standard Windows 10 system, you will end up with 145 trusted roots (rather than 322 roots for the default Microsoft CTL)
(*) RootIQ, our own root certificate manager for Windows, is now available. A free version of RootIQ is available for home and evaluation use
You don't need all those root certificates
As of today, Windows trusts 322 root certificates issued by 122 different organizations from 47 countries. This number is quite high, and has been steadily growing over the last few years. And it turns out many of those certificates are not needed at all by the vast majority of Windows users...
hexatomium.github.io