- Article
Applies To: Windows Server (All supported versions), Windows clients, Azure Stack HCI.
The Microsoft Root Certificate Program enables distribution of trusted and untrusted rootcertificates within Windows operating systems. For more information about the list of members inWindows Root Certificate Program, seeList of Participants - Microsoft Trusted Root Program.
Trusted and untrusted root certificates are used by Windows operating systems and applications as areference when determining whether public key infrastructure (PKI) hierarchies and digitalcertificates are trustworthy. Untrusted root certificates are certificates that are publicly knownto be fraudulent. Trusted and untrusted root certificates functionality works across allenvironments, whether connected or disconnected.
Trusted and untrusted root certificates are contained in a certificate trust list (CTL). When youwant to distribute root certificates, you use a CTL. Windows Server features automatic daily updatefunctionality that includes downloads of latest CTLs. The list of trusted and untrusted rootcertificates are called the Trusted CTL and Untrusted CTL, respectively. For more information, seeAnnouncing the automated updater of untrustworthy certificates and keys.
Servers and clients access the Windows Update site to update the CTL using the automatic dailyupdate mechanism (CTL updater) discussed in this article. You can take advantage of CTL updaterfunctionality by installing the appropriate software updates. See the articleConfigure Trusted Roots and Disallowed Certificatesfor guidance in installing the software updates on supported operating systems discussed in thisarticle.
Automatic certificate trust list updates
By default, Windows downloads the CTLs from the Internet via an automatic mechanism called the CTLUpdater. The public URLs used by the CTL Updater can be made available to clients:
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Automatic update functionality also can be disabled if necessary, although isn't recommended.
Alternately, you also can create a Group Policy administrative templates (ADMX policy) to redirectto an internal server for updates.
The registry location where trusted and untrusted CTLs are stored as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
Benefits of CTL Updater
Automatic update functionality using the CTL Updater delivers several benefits:
Registry settings for storing CTLs New settings enable changing the location for uploadingtrusted or untrusted CTLs from the Windows Update site to a shared location in an organization.SeeRegistry Settings Modified.
Synchronization options If the URL for the Windows Update site is moved to a local sharedfolder, the local shared folder must be synchronized with the Windows Update folder. This softwareupdate adds a set of options in the Certutil tool that you use to enable synchronization. For moreinformation, see theCertutil -syncWithWU Windowscommand reference.
Tool to select trusted root certificates This software update introduces a tool for managingthe set of trusted root certificates in your enterprise environment. You can view and select theset of trusted root certificates, export them to a serialized certificate store, and distributethem by using Group Policy. For more information, see theCertutil -generateSSTFromWU SSTFileWindows command reference.
Independent configurability The automatic update mechanism for trusted and untrustedcertificates are independently configurable; you can use the automatic update mechanism todownload only the untrusted CTLs and manage your own list of trusted CTLs. For more information,seeRegistry settings modified.
SeeConfigure Trusted Roots and Disallowed Certificatesfor guidance in installing the software updates on supported operating systems discussed in thisarticle.
Automatic update functionality can be disabled if necessary, however it isn't recommended.
Next steps
Now you understand more about trusted root and disallowed certificates in Windows, here are somemore articles that might help you as configure your systems.
Event ID 8 — Automatic Root Certificates Update Configuration
certutil Windows command reference