Check Trusted Root Certificates

PaulTech

PaulTech

Active Member
Reaction score
36
Location
California
With the recent report of the Lenovo Superfish fiasco it had me looking at the "Trusted Root Certificates" (certmgr.msc (run as admin))

I don't like the looks of many of those listed and it seems I should include a check for my clients machines.

In a brief search I found:
http://blogs.msdn.com/b/muaddib/arc...ishing-certificates-for-smart-card-logon.aspx
https://www.myotherpcisacloud.com/p...store-backup-and-cleanup-with-powershell.aspx

Anyone have guidelines on what can or cannot be deleted?

For example how do I minimize the number of Trusted Root Certificates? And if I remove them and they are required will I be prompted to "re-trust" the certificate if and when it is required? Here some as examples;

ADOCA02 - Australian Defence Organisation (ADO) Certificate Authority 02
CFCA GT CA - China Financial CA
Default CA
EBG Elektronik Sertifika Hizmet Saglayicisi
Hongkong Post Root CA
Autoridade Certificadora Raiz Brasileira

Thanks for the insight and help!
 
It's been my experience that the OS loads up a whole bunch of trusted root certificates by default. And OEM's add to the list as well. My guess is that these are included by choice based on country and marketing preferences. I just checked my my W7 Pro VM and this is what I have. And it's my experience that you can delete these but might have issues trusting a intermediate cert if the root cert has not already been accepted. Personally I've only ever deleted intermediate certs if I was concerned about anything. And organizations add them as well. When I was doing DoD work they rolled their own loads and the cert list was full of DoD ones.

AddTrust External CA Root
AffirmTrust Networking
Baltimore CyberTrust Root
Class 3 Public Primary Certification Authority
Class 3 Public Primary Certification Authority
Copyright (c) 1997 Microsoft Corp.
DigiCert Assured ID Root CA
DigiCert Global Root CA
DigiCert High Assurance EV Root CA
Entrust.net Certification Authority (2048)
Entrust.net Secure Server Certification Authority
Equifax Secure Certificate Authority
GeoTrust Global CA
GlobalSign Root CA
Go Daddy Class 2 Certification Authority
GTE CyberTrust Global Root
http://www.valicert.com/
Microsoft Authenticode(tm) Root Authority
Microsoft Root Authority
Microsoft Root Certificate Authority
Microsoft Root Certificate Authority 2010
Microsoft Root Certificate Authority 2011
NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
Parallels, Inc.
Starfield Class 2 Certification Authority
Thawte Premium Server CA
Thawte Premium Server CA
thawte Primary Root CA
Thawte Timestamping CA
UTN - DATACorp SGC
UTN-USERFirst-Object
VeriSign Commercial Software Publishers CA
 
You must log in or register to reply here.

Similar threads

HCHTech
Certificate Reissue Warning
Replies
0
Views
664
HCHTech
HCHTech
HCHTech
PCI.....again
Replies
16
Views
5K
mikeroq
mikeroq
Porthos
[TIP] AVCertClean - Clean legit certificates from the untrusted store
Replies
0
Views
1K
Porthos
Porthos
A
CNAME, SSL Certificates
2
Replies
26
Views
3K
Markverhyden
Markverhyden
HCHTech
PCI Compliance & SSL Cert Merry-Go-Round
Replies
4
Views
2K
Markverhyden
Markverhyden
Back
Top