How does Windows automatically install certificates in the Trusted Root Certification Authorities list? RRS feed

  • Question

  • Hello.  

    I would like to be able to make a digital signature on an executable, MSI, or driver and have confidence that the signature will work on a wide variety of customer computers, even if those computers are disconnected from the internet.  I have a SHA-2 code signing certificate from GlobalSign and I am testing it out.

    During my tests of Windows 8.1 64-bit, I noticed that if I delete the GlobalSign root certificates from the "Trusted Root Certification Authorities" list for my Current User using certmgr.msc, and then I run my signed executable as an administrator, then Windows will automatically retrieve the required GlobalSign root certificate and add it to my Trusted Root Certification Authorities list, which allows it to properly verify the publisher of the executable and show a friendly warning with the publisher's name in it.  I noticed that this happens even if the computer is disconnected from the Internet.

    I am looking for any information I can get on how the automatic installation of the certificate happens.  Does it come from hidden list of certificates inside Windows?  Where can I see this list?  Does Microsoft document which certificates will be on the list for each version of Windows?  Will the list be present on a machine that has never connected to the Internet?  Thanks!

    You might have seen my article on driver signing before.  I am working on updating it to cover SHA-256 and Windows 10, and I am performing some tests.

    --David Grayson

    Wednesday, July 8, 2015 8:25 PM

All replies

  • I just tested a virtual Windows 10 64-bit (Build 10162) machine that I installed from scratch today, which has never connected to the internet.  It was able to seamlessly install root certificates from GlobalSign, GoDaddy, and Starfield very quickly on demand, even though those certificates were not in the Trusted Root Certification Authorities list by default.  There must be collection of these certificates somewhere in the Windows 10 installation ISO.  Does anyone know where I could find that list, or what certificates are in it?  It seems like Microsoft should just document it, because this information is (or should be!) very important for anyone considering buying a code-signing certificate.

    I wrote a similar post asking about this kind of thing a few years ago.  Back then I was having problems because this automatic installation of root certificates was not happening fast enough on Windows Vista and Windows 7, probably because it used the Internet.  I intend to test them again today and see if they are still too slow.

    --David Grayson

    Wednesday, July 8, 2015 10:21 PM
  • Indeed, it seems that Windows Vista and Windows 7 have been updated and they are now much better at installing root certificates on demand, even if the internet connection is unplugged.  It would be great if we could get some information from Microsoft about this feature of Windows.

    The closest thing I can find is:


    but that document only applies to Windows Server 2008, it doesn't have any lists of certificates in it, and it does not mention the local cache of certificates that Windows seems to be using these days.

    --David Grayson

    Thursday, July 9, 2015 10:56 PM
  • In Windows 7, there are certificates embedded in the resources of crypt32.dll. The Certificate Chaining Engine (CCE) page in the TechNet Wiki briefly mentions it.
    Friday, July 10, 2015 7:55 PM