Monroe Posted January 8 Share Posted January 8 Still mostly a Windows XP user but in September 2023 I decided to get a used ThinkPad Windows 7 notebook. I had mentioned this in another Windows 7 topic after starting to have banking and a few other website problems. After over three months I think I now have good understanding and feel for Windows 7. I finally got my good 'factory' or 'restore' DVD made with my settings and everything to my liking the first week of December. So I'm good to go if I should mess a few things up and need a repair job. I have this one question about Windows 7 Root Certificates and Revoked Certificates since the official MS updates stopped in Jan 2020. With Windows XP we are lucky to have the Certs updater provided for many years now by heinoganda. So what about Windows 7 now in 2023 /2024? I did some searching around over the last two months but really found nothing about updating Windows 7 certs. I would think this would be like Windows XP ... they would need updating also in Windows 7? ... right? thanks ... Link to comment Share on other sites More sharing options...
mina7601 Posted January 9 Share Posted January 9 Well, at the moment, browsing with Chrome still works and doesn't throw any certificate errors, but yes, I see no reason to not update root and revoked certificates. Link to comment Share on other sites More sharing options...
D.Draker Posted January 9 Share Posted January 9 9 hours ago, Monroe said: what about Windows 7 It supposed to fetch them automatically. The cert store hasn't changed between Vista and 11. "An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2" https://support.microsoft.com/en-us/topic/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista-windows-server-2008-windows-7-and-windows-server-2008-r2-117bc163-d9e0-63ad-5a79-e61f38be8b77 6 Link to comment Share on other sites More sharing options...
D.Draker Posted January 9 Share Posted January 9 And this is for the trusted certs. "Automatic certificate trust list update" https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-trust 6 Link to comment Share on other sites More sharing options...
Monroe Posted January 9 Author Share Posted January 9 10 hours ago, D.Draker said: It supposed to fetch them automatically. The cert store hasn't changed between Vista and 11. "An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2" https://support.microsoft.com/en-us/topic/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista-windows-server-2008-windows-7-and-windows-server-2008-r2-117bc163-d9e0-63ad-5a79-e61f38be8b77 D.Draker ... thanks a lot for this information. I guess I am a little confused about MS not supplying anymore Windows 7 updates / support after Jan 2020 and Jan 2023 but they are still helping out with trusted and untrusted certificates. Since late October I have been checking for any Windows 7 updates and it always says "There are no updates available." or "Windows 7 is up to date". I'm on my Win XP computer now but will check out the links you supplied later today. Again thanks for the reply and help. ... Link to comment Share on other sites More sharing options...
Nomen Posted January 20 Share Posted January 20 My understanding of this certificate mechanism is fuzzy. Does a browser (any browser?) running under Win-7 (or any Win version) query a Microsoft certificate database each/every time the browser is pointed to a site to get an answer back if the site/domain is trusted? Or, is this a static update of some sort? Something that gets downloaded only once and does not mean your computer/browser is always in contact with MS with regard to these certs? Link to comment Share on other sites More sharing options...
superleiw Posted April 24 Share Posted April 24 On Windows Vista and higher there should be no need to manually update those certificates anymore. Like Draker said, the behaviour on these OS since Vista is the same ; Windows checks for Trusted CTL once a week and the Untrusted CTL every day through Windows Update using the automatic daily update mechanism (CTL updater) ! Disabling WU may prevent those certificates from being updated ( I haven't tested it myself so can't confirm) To modify this behaviour (at your own risk) it's possible to change the following registry keys : Enable or disable the Windows AutoUpdate of the trusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "DisableRootAutoUpdate"=dword:00000000 0 to enable or 1 to disable. This key is not present by default. Without a key present, the default is enabled. Enable or disable the Windows AutoUpdate of the untrusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "EnableDisallowedCertAutoUpdate"=dword:00000001 1 to enable or 0 to disable. This key is not present by default. Without a key present, the default is enabled. Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 24 Share Posted April 24 4 minutes ago, superleiw said: Disabling WU may prevent those certificates from being updated ( I haven't tested it myself so can't confirm) Enable or disable the Windows AutoUpdate of the trusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "DisableRootAutoUpdate"=dword:00000000 0 to enable or 1 to disable. This key is not present by default. Without a key present, the default is enabled. Enable or disable the Windows AutoUpdate of the untrusted CTL: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot] "EnableDisallowedCertAutoUpdate"=dword:00000001 1 to enable or 0 to disable. This key is not present by default. Without a key present, the default is enabled. Thanks. I personally disable WU and will also now be disabling these CTL updates. "My computer, my preference." Link to comment Share on other sites More sharing options...
lll888 Posted July 5 Share Posted July 5 there are forums where people are working on utilities that update certificates for win 7 or xp, just search for them Link to comment Share on other sites More sharing options...
superleiw Posted July 17 Share Posted July 17 Indeed, if you want to manually update those certificates on W7 or higher it's possible to use alternative tools. The rootsupd.exe (and the updroots.exe inside of it) are outdated and should not be used (except for XP & Vista) In fact, they break the "Microsoft Root Certificate Authority" root certificate on modern systems (at least Windows 10 1803+). An alternative to use on W7 and higher would be Root Certificate Updater available here (GUI or Powershell Script) : https://github.com/asheroto/Root-Certificate-Updater https://www.powershellgallery.com/packages/UpdateRootCertificates/2.0.0 This tool was originally developed to manually update the root certificates on Windows 10, Server 2012/2016/2019. It seems to also work on W7/8/8.1 if WMF 5.1 is installed. Link to comment Share on other sites More sharing options...
lll888 Posted July 18 Share Posted July 18 (edited) but that's not all you found. removed the standard task scheduler installed Atomic Alarm Clock for myself and added a batch file to it so that it would update certificates on a schedule Edited July 18 by lll888 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now