justacruzr2 Posted February 17, 2022 Posted February 17, 2022 Anybody know where I can download Rootstore.sst so I can manually update my certificate store? I tried Windows Download (or Update) Center but all I got was a certificate file with a .wlu extension. Need to update the new installation of XP I did. It's the version that was released 8/4/2004 which includes SP2. 90% of those certs are expired. Thanks.
D.Draker Posted February 17, 2022 Posted February 17, 2022 For manual Root Certificate Update "rootsupd.exe" download http://i430vx.net/files/wsusstuff/NT5x/rootsupd.exe, unzip to a folder (eg with WinRAR), in "rootsupd.inf" entry in the string VERSION should "40,0,2195,0" loud and in VER "040" , In the next step, "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroots.sst" "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/delroots.sst" "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/roots.sst" "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/updroots.sst" download and paste the unzipped folder and replace older files. Then with e.g. (Create Self-Extracting Archive) WinRAR all files in the folder to an archive option SFX with the following comment: TempMode Silent=1 Overwrite=1 Setup=Rundll32.exe advpack.dll,LaunchINFSection rootsupd.inf,DefaultInstall pack and you have a current root certificate update! https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1212034For revoked Certificate Update "rvkroots.exe" Microsoft download (http://www.microsoft.com/download/details.aspx?id=41542), unzip to a folder (e.g. with WinRAR). In "rvkroots.inf" the entry in the string VERSION should be changed to "5,0,2195,0" and the VER entry changed to "005". The next step is download the "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcert.sst" and paste the unzipped folder and replace older file. Then with e.g. (Create Self-Extracting Archive) WinRAR all files in the folder to an archive option SFX with the following comment: TempMode Silent=1 Overwrite=1 Setup=Rundll32.exe advpack.dll,LaunchINFSection rvkroots.inf,DefaultInstall pack and you have a current update for blocking unsafe Certificates! https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1212104 1
justacruzr2 Posted February 17, 2022 Author Posted February 17, 2022 Thanks. I was hoping to find rootstore.sst. I have the system certificates in MMC and all I have to do there is click on Import and I'm done. I'll try it your way though. Thanks.
Compa Posted February 18, 2022 Posted February 18, 2022 (edited) If connected to the internet you could use heinoganda's tool (Google 'XP roots', it's literally top result). I think i430VX's backup of the roots updater goes up to late 2016: Let's Encrypt sites might be broken still (i.e. about half the web) due to the DST Root X3 expiring in September 2021. Haven't really tested it in a while, though. Edited February 18, 2022 by Compa
RainyShadow Posted February 18, 2022 Posted February 18, 2022 or this instead https://msfn.org/board/topic/181915-system-certificates-updater-the-easy-way/ 1
D.Draker Posted February 19, 2022 Posted February 19, 2022 On 2/18/2022 at 8:46 AM, Compa said: I think i430VX's backup of the roots updater goes up to late 2016: Let's Encrypt sites might be broken still (i.e. about half the web) due to the DST Root X3 expiring in September 2021 Duh !? That's why I wrote he needs to insert the new certs he downloads directly from MS. Did you read what I wrote ? Well , try again (reading out loud with a thick British accent might help). This method proved to be fully working by many MSFN members. 1
i430VX Posted February 19, 2022 Posted February 19, 2022 (edited) I'm not sure exactly what you mean about lets encrypt certified sites being broken or the certs being from 2016, the cert updater on my site automatically fetches the latest ones. My own site uses a lets encrypt certificate and is properly validated in IE8 on XP, after using the updater. In case there is some confusion, i mean this one HERE: http://i430vx.net/files/misc/Cert_Updater_v1.6.exe Edit: (my two cents about the first post) If one wants to manually update the certs, i would run the cert updater with wireshark or tcpdump and just look at where it is downloading from... those are what you need. Edit 2: A lot easier is just to view its files. It extracts to %tmp%\certupd.tmp\ There, among other things, you will find the batch file. Edited February 19, 2022 by i430VX 1
Compa Posted February 19, 2022 Posted February 19, 2022 (edited) 3 hours ago, i430VX said: In case there is some confusion, i mean this one HERE: For what I meant by expiry - https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ I'm not sure if that applies to the file in /files/wsusstuff or not. However you've already linked a more updated method now than the one I was thinking of in your site, so it's not an issue @D.Draker Not sure what the sudden hostility's for unless you're trying to reignite old drama randomly, D(ixel) Draker... Edited February 19, 2022 by Compa
D.Draker Posted February 19, 2022 Posted February 19, 2022 3 hours ago, Compa said: Not sure what the sudden hostility's for unless you're trying to reignite old drama randomly, D(ixel) Draker... I'm terribly sorry if asking a person to read again means hostility for you. What "drama" are you talking about ? Yep , we both updated the certs that way , but no drama had happened during the update. xD . Who are you , lol ? 1
Compa Posted February 19, 2022 Posted February 19, 2022 I'll spare the details. All I'm saying is this is a support forum and you didn't just say "I didn't read", you had to write it in a particularly snarky manner. Guess your attitude hasn't changed one bit, Dixel.
D.Draker Posted February 19, 2022 Posted February 19, 2022 3 hours ago, Compa said: I'll spare the details. Why ? Have something to hide ? Yes , support forum and I provided with fully working instructions, yet you started to imply the're somewhat bad . Why ? "...roots updater goes up to late 2016: Let's Encrypt sites might be broken still (i.e. about half the web) due to the DST Root X3 expiring in September 2021" That's simply not true. 2
D.Draker Posted February 19, 2022 Posted February 19, 2022 3 hours ago, Compa said: Dixel I'm Draker . Please be respectful when you address MSFN members. Call them by their (nick)names . It's not hard to remember. British accent is actually a good thing . I mean proper British accent , not fake. 1
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now