Windows 7 Root Certificates and Revoked Certificates Question

[Monroe]

Still mostly a Windows XP user but in September 2023 I decided to get a used ThinkPad Windows 7 notebook. I had mentioned this in another Windows 7 topic after starting to have banking and a few other website problems. After over three months I think I now have good understanding and feel for Windows 7.

I finally got my good 'factory' or 'restore' DVD made with my settings and everything to my liking the first week of December. So I'm good to go if I should mess a few things up and need a repair job.

I have this one question about Windows 7 Root Certificates and Revoked Certificates since the official MS updates stopped in Jan 2020.

With Windows XP we are lucky to have the Certs updater provided for many years now by heinoganda. So what about Windows 7 now in 2023 /2024? I did some searching around over the last two months but really found nothing about updating Windows 7 certs.

I would think this would be like Windows XP ... they would need updating also in Windows 7? ... right?

thanks ...

 

[mina7601]

Well, at the moment, browsing with Chrome still works and doesn't throw any certificate errors, but yes, I see no reason to not update root and revoked certificates.

[D.Draker]

9 hours ago, Monroe said:

what about Windows 7

It supposed to fetch them automatically. The cert store hasn't changed between Vista and 11.

"An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2"

https://support.microsoft.com/en-us/topic/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista-windows-server-2008-windows-7-and-windows-server-2008-r2-117bc163-d9e0-63ad-5a79-e61f38be8b77

[D.Draker]

And this is for the trusted certs.

"Automatic certificate trust list update"

https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-trust

[Monroe]

10 hours ago, D.Draker said:

It supposed to fetch them automatically. The cert store hasn't changed between Vista and 11.

"An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2"

https://support.microsoft.com/en-us/topic/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista-windows-server-2008-windows-7-and-windows-server-2008-r2-117bc163-d9e0-63ad-5a79-e61f38be8b77

D.Draker ... thanks a lot for this information. I guess I am a little confused about MS not supplying anymore Windows 7 updates / support after Jan 2020 and Jan 2023 but they are still helping out with  trusted and untrusted certificates. Since late October I have been checking for any Windows 7 updates and it always says "There are no updates available." or "Windows 7 is up to date".

I'm on my Win XP computer now but will check out the links you supplied later today.

Again thanks for the reply and help.

...

[Nomen]

My understanding of this certificate mechanism is fuzzy. 

Does a browser (any browser?) running under Win-7 (or any Win version) query a Microsoft certificate database each/every time the browser is pointed to a site to get an answer back if the site/domain is trusted?

Or, is this a static update of some sort?  Something that gets downloaded only once and does not mean your computer/browser is always in contact with MS with regard to these certs?

 

[superleiw]

On Windows Vista and higher there should be no need to manually update those certificates anymore.

Like Draker said, the behaviour on these OS since Vista is the same ;

Windows checks for Trusted CTL once a week and the Untrusted CTL every day through Windows Update using the automatic daily update mechanism (CTL updater) !

Disabling WU may prevent those certificates from being updated ( I haven't tested it myself so can't confirm)

To modify this behaviour (at your own risk) it's possible to change the following registry keys :

 

Enable or disable the Windows AutoUpdate of the trusted CTL:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot]
"DisableRootAutoUpdate"=dword:00000000

0 to enable or 1 to disable. This key is not present by default. Without a key present, the default is enabled.

 

Enable or disable the Windows AutoUpdate of the untrusted CTL:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot]
"EnableDisallowedCertAutoUpdate"=dword:00000001

1 to enable or 0 to disable. This key is not present by default. Without a key present, the default is enabled.

[NotHereToPlayGames]

4 minutes ago, superleiw said:

Disabling WU may prevent those certificates from being updated ( I haven't tested it myself so can't confirm)

 

Enable or disable the Windows AutoUpdate of the trusted CTL:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot]
"DisableRootAutoUpdate"=dword:00000000

0 to enable or 1 to disable. This key is not present by default. Without a key present, the default is enabled.

 

Enable or disable the Windows AutoUpdate of the untrusted CTL:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot]
"EnableDisallowedCertAutoUpdate"=dword:00000001

1 to enable or 0 to disable. This key is not present by default. Without a key present, the default is enabled.

Thanks.  I personally disable WU and will also now be disabling these CTL updates.  "My computer, my preference."