Trusted Root&Intermediate system certificates. Where check the list?

[userwin]

Trusted Root&Intermediate system certificates. Where check the list?

Hi.

We have many trusted root and intermediate certificates in the cert's store by default. Where to check these lists? To exclude "not default", "maybe potentially mаlware" root certs.

 

[townsbg]

You can find certs as shown in the guide here: https://www.sslshopper.com/move-or-...windows-server-to-another-windows-server.html

 

[userwin]

Thanks, but I don't need "Move or copy an SSL certificate from a Windows server to another Windows server".
I want to check (to examine) the lists of all trusted root and intermediate certs that installed by default in the system. How can I do this? Is it possible? Is there any official web-page on microsoft.com with lists of all provided by default root certs and their description?

 

[townsbg]

None that I know of. That page shows where to go examine certs which is what I thought you wanted. If you see a suspicious cert try googling it but generally you shouldn't have to worry about certs unless you are a web admin. They are harmless and only used by the OS for encrypting information over the web and if you start removing them you could end up with website authentication issues. Due to the number of websites I doubt that Microsoft keeps any such lists.

 

[userwin]

Due to the number of websites I doubt that Microsoft keeps any such lists.

I speak about trusted root certs. For example I have only 56 now. That's why i think there is no technical problem to publicate such list.

 

[userwin]

I'll explain in detail... We have preinstalled root certs in the system which came with OS and maybe some new through updates. But it's a security question, because any person who have local access to the computer and of course admin rights and even software can add a root cert to the store. And after that for example all web-server's certificates which signed with this root cert will be trusted! It's potentially dangerous and that's why i think microsoft must publicate officially this list on it's web-site .

 

[townsbg]

I'm not sure how to answer your question or even what you are concerned with. Perhaps this will help though.

Windows and Windows Phone 8 SSL Root Certificate Program (Member CAs) - TechNet Articles - United States (English) - TechNet Wiki

Unless you are a webadmin I really don't see why you need to worry abput certs.

 

[oneeyed]

You are right, and there is indeed such a list : Trusted root certificates that are required by Windows Server 2008 R2, by Windows 7, by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000

This the absolute minimum required for compatibility.

Windows updates do add to this list from time to time though, ex : How to get a Root Certificate update for Windows

 

[userwin]

I'm not sure how to answer your question or even what you are concerned with. Perhaps this will help though.

Windows and Windows Phone 8 SSL Root Certificate Program (Member CAs) - TechNet Articles - United States (English) - TechNet Wiki

Thanks, I also already found this and info about "Microsoft Root Certificate Program" and "How Update Root Certificates Communicates with Sites on the Internet"

Not a question but...The Update Root Certificates feature sends a request by HTTP? Certificate Support and Resulting Internet Communication in Windows Vista Why not by httpS? It's insecure!

Unless you are a webadmin I really don't see why you need to worry abput certs.

See above. I think clients must also worry about root certs if they worry about security.

 

[userwin]

Windows updates do add to this list from time to time though, ex : How to get a Root Certificate update for Windows

insecure update Why?

 

[userwin]

I was mistaken above I found here CTL.
But how The Update Root Certificates feature sends a request by http o httpS is still a question!