Microsoft Root Certificate Program (TLS Certificates) RRS feed

  • Question

  • Apologies if this is the wrong place for me to post this. I am currently pursuing a study on root certificate stores present across various platforms including Microsoft Windows. Upon looking at the list of participants in the Microsoft Trusted Root Program and downloading the root certificates using certutil.exe via windows update I have noticed some discrepancies and I would like some clarification alongside some answers to general questions about the root program itself.

    1) What range of Microsoft products and services is the Microsoft Trusted Root Program applicable for? Are all certificates listed in the program applicable from Azure to Windows? What would be the differences in available root certificates between Windows 10 and Windows 10 Mobile (Or older versions of the respective operating systems).

    2) Upon downloading the root certificates themselves from Windows Update using certutil.exe, I can confirm the presence of 419 root certificates versus the 402 (I believe) listed on the website: https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT a majority of the certificates not shown on the list are ones from GlobalSign used for signing purposes (Emails, Code, Document and etc) why are these certificates not included in the list itself?

    3) The list contains a Microsoft Status column which has three possible values for each certificate: Included, notBefore and disabled. Opening certificates which are disabled according to the list shows that they have been revoked. Certificates labeled notBefore seem to be fine. The release notes state that Windows 10 can disable certificates that are set to notBefore or disabled. What is the difference between notBefore and disabled values in the Microsoft Status column and what exactly happens to these certificates in Windows 10 and prior versions of Windows?

    4) Why are expired certificates included in the root store? While I am aware that is this to provide backwards compatibility are there any security implications regarding this?

    5) Why are revoked certificates included in the root store? Why are they present in the list itself and available to be downloaded into a computer? Once again I am aware that some certificates are disallowed but for what exact purpose are these certificates included and why they haven't been removed from the root store?

    6) I am aware that not all 402 certificates are stored on the OS itself and the root certificate store has the capacity to expand. Is there a list of root certificates that are available in a fresh install of Windows 10? If not how can I best determine root certificates applicable to Windows 10 from the list provided. 

    7) Is there an email available to ask further questions about the root certificate program? Since I am pursuing this research on behalf of a university I would like somebody to contact with.

    EDIT: Modified the title to reduce confusions

    • Moved by Dave PatrickMVP Tuesday, September 29, 2020 3:55 PM looking for forum
    • Edited by Jegan019 Tuesday, September 29, 2020 5:13 PM
    Tuesday, September 29, 2020 5:51 AM


All replies