Trimming Down the Certificate Trust List

  • Article

Public Key Infrastructure (PKI) relies on the certificates which are being utilized to be issued from “trusted” authorities. Put very basically (basically enough to make PKI experts worldwide collectively wince) the certificate being used can be checked against the list to make sure there is a matching trusted issuer certificate in the trusted root list and that the issuer’s certificate passed some checks.  This is all part of certificate chaining, which in turn is part of making sure that the certificates which you are using are trusted, valid and safe. More information is available here at MSDN.

If the issuing trusted certificate is missing and cannot be retrieved from the Microsoft PCA (which is not uncommon in secure corporate networks) then whatever services the certificate is being used for will likely fail.

There is a known condition which can happen where there are too many certificates in the trusted root stores. This leads to some of them not being retrieved and may cause the trusted root check to fail and hence the services which rely on that to fail.

When this happens it is commonly seen in Secure Sockets Layer or Transport Layer Security (SSL/TLS) problems.  Basically, there are too many certificates to send reliably on the network and the one that is needed for the client to server negotiation doesn’t make it.  These problems can appear to be intermittent and tough to track down.

Checking the number of the certificates in the trust list stores is the first step. To address that, a little over a year and a half ago, I published a script here in the TechNet Script Center which will allow you to see if the total number of certificates for trusted authorities was enough to cause problems. You can get that script at this link.

This script will allow you to “clear” away- meaning delete- certificates from the computer’s certificate trusted root stores.

Microsoft maintains a certificate trust list update program on behalf and in conjunction with many other companies. This is called the Microsoft Root Certificate Program

This list distributes updates of available certificates via different methods, and depending on the client connectivity many updates will automatically download if you simply delete the installed certificates in the trust list stores. More information on the distributions is available here at this link.

But some environments use web proxies or firewalls which don’t allow for the automatic download of the new certificates for trusts after you clear the ones in the stores.

Also, there are real business scenarios where the computers trust stores may contain certificates from certificate authorities which are not distributed by the Microsoft Root Update Program.

To address all of these concerns I wrote a PowerShell script named “ClearCertTrustList.ps1”. (You can download it at the hyperlink).  This script will let you clear all of the certificates in the computers trusted root store or selectively keep some of the certificates.

To keep some certificates, simply use the KeepSome switch. You can combine the KeepSome switch with an array of certificate thumbprint strings in the –Thumbprints switch or allow the computer to prompt you for the thumbprints to keep.

The “DetectTrustedRootSizeProblem.ps1” script will export the certificates which are in the store to a CSV file so you can review and select which ones to keep when clearing with this script. That script gives you all of the relevant certificate information you need in order to make your business decision on whether the certificates which are currently in the store are ‘keepers’ or not.  Certificate issuer, subject name, expiry date, thumbprint, serial number and more are all put into a CSV file for review.

I hope this helps out if you find yourself in one a “large trust list” situation.