Jump to content

Root Certificate Update


justacruzr2

Recommended Posts

Anybody know where I can download Rootstore.sst so I can manually update my certificate store?  I tried Windows Download (or Update) Center but all I got was a certificate file with a .wlu extension.  Need to update the new installation of XP I did.  It's the version that was released 8/4/2004 which includes SP2.  90% of those certs are expired.  Thanks.

Link to comment
Share on other sites


 

For manual Root Certificate Update "rootsupd.exe" download http://i430vx.net/files/wsusstuff/NT5x/rootsupd.exe, unzip to a folder (eg with WinRAR), in "rootsupd.inf" entry in the string VERSION should "40,0,2195,0" loud and in VER "040" , In the next step, 

"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroots.sst"

"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/delroots.sst"

"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/roots.sst"

"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/updroots.sst" download and paste the unzipped folder and replace older files. Then with e.g. (Create Self-Extracting Archive) WinRAR all files in the folder to an archive option SFX with the following comment:

 

TempMode

 

Silent=1

 

Overwrite=1

 

Setup=Rundll32.exe advpack.dll,LaunchINFSection rootsupd.inf,DefaultInstall

 

 

pack and you have a current root certificate update!

https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1212034For revoked Certificate Update "rvkroots.exe" Microsoft download (http://www.microsoft.com/download/details.aspx?id=41542), unzip to a folder (e.g. with WinRAR). In "rvkroots.inf" the entry in the string VERSION should be changed to "5,0,2195,0" and the VER entry changed to "005". The next step is download the "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcert.sst" and paste the unzipped folder and replace older file. Then with e.g. (Create Self-Extracting Archive) WinRAR all files in the folder to an archive option SFX with the following comment:

 

TempMode

Silent=1

Overwrite=1

Setup=Rundll32.exe advpack.dll,LaunchINFSection rvkroots.inf,DefaultInstall

pack and you have a current update for blocking unsafe Certificates!

https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1212104

 

 

Link to comment
Share on other sites

If connected to the internet you could use heinoganda's tool (Google 'XP roots', it's literally top result).

I think i430VX's backup of the roots updater goes up to late 2016: Let's Encrypt sites might be broken still (i.e. about half the web) due to the DST Root X3 expiring in September 2021. Haven't really tested it in a while, though.

Edited by Compa
Link to comment
Share on other sites

On 2/18/2022 at 8:46 AM, Compa said:

I think i430VX's backup of the roots updater goes up to late 2016: Let's Encrypt sites might be broken still (i.e. about half the web) due to the DST Root X3 expiring in September 2021

Duh !? That's why I wrote he needs to insert the new certs he downloads directly from MS. Did you read what I wrote ? Well , try again (reading out loud with a thick British accent might help). This method proved to be fully working by many MSFN members.

Link to comment
Share on other sites

I'm not sure exactly what you mean about lets encrypt certified sites being broken or the certs being from 2016, the cert updater on my site automatically fetches the latest ones.

My own site uses a lets encrypt certificate and is properly validated in IE8 on XP, after using the updater.

In case there is some confusion, i mean this one HERE:

http://i430vx.net/files/misc/Cert_Updater_v1.6.exe
 

Edit: (my two cents about the first post)
If one wants to manually update the certs, i would run the cert updater with wireshark or tcpdump and just look at where it is downloading from... those are what you need.
 

Edit 2:
A lot easier is just to view its files. It extracts to %tmp%\certupd.tmp\

There, among other things, you will find the batch file.

Edited by i430VX
Link to comment
Share on other sites

3 hours ago, i430VX said:

In case there is some confusion, i mean this one HERE:

For what I meant by expiry - https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ I'm not sure if that applies to the file in /files/wsusstuff or not.

However you've already linked a more updated method now than the one I was thinking of in your site, so it's not an issue :)

@D.Draker Not sure what the sudden hostility's for unless you're trying to reignite old drama randomly, D(ixel) Draker...

Edited by Compa
Link to comment
Share on other sites

3 hours ago, Compa said:

Not sure what the sudden hostility's for unless you're trying to reignite old drama randomly, D(ixel) Draker...

I'm terribly sorry if asking a person to read again means hostility for you. What "drama" are you talking about ?  Yep , we both updated the certs that way , but no drama had happened during the update. xD .  Who are you , lol ?

Link to comment
Share on other sites

I'll spare the details.

All I'm saying is this is a support forum and you didn't just say "I didn't read", you had to write it in a particularly snarky manner. Guess your attitude hasn't changed one bit, Dixel.

Link to comment
Share on other sites

3 hours ago, Compa said:

I'll spare the details.

Why ? Have something to hide ? Yes , support forum and I provided with fully working instructions, yet you started to imply the're somewhat bad . Why ?

"...roots updater goes up to late 2016: Let's Encrypt sites might be broken still (i.e. about half the web) due to the DST Root X3 expiring in September 2021"

That's simply not true.

Link to comment
Share on other sites

3 hours ago, Compa said:

Dixel

I'm Draker . Please be respectful when you address MSFN members. Call them by their (nick)names . It's not hard to remember.

British accent is actually a good thing . I mean proper British accent , not fake.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...