I need to implement a service that does not start because the certificate cannot be validated. This certificate have a root ca that was recently created, so my windows 7 machines does not trust in this ca. My machines does not have internet access and can't download from windows update the list of trusted root certificates (CTL)
https://technet.microsoft.com/en-us/library/dn265983.aspx
In this technet article say that this CTL can be downloaded from Microsoft download center but I have searched and I just found a KB of 2013 that contains the CTL.
My question is ¿where I can find the latest version of this list of trusted certificated?
Note: I cant add a certificate manually or via script
I found the instructions at the bottom of this page to be useful.
Specifically, running
Gave me a file with all the needed Certs. I then was able to transfer that
Rootstore.sstfile to another machine, open the file and install the desired certs from it.When opening the file in Certmgr I'm able to see all the certs, I can then add any that I need (to install Visual Studio 2015 on an offline Windows 7 box, I needed the "Microsoft Root Certificate Authority 2010" and "Microsoft Root Certificate Authority 2011") by double clicking to open them, then clicking the install button. However, when I select "Automatically select the certificate store based on the type of certificate" it didn't put these in the trusted root. Instead I had to manually pick the certificate store and then select "Trusted Root Certification Authorities".
The article at https://netflex.nl/automatische-ca-root-updates-op-windows/ suggests that you download the root certificates with rootsupd.exe, available at http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe. I'm surprised though that the exe is not signed.
Use at your own risk.
Our team actually just developed a tool to automatically update the root certificates on Windows 10, Server 2012/2016/2019.
It's free.
https://asher.tools/root-certificate-updater