Manually Update Windows Trusted Root Certificates KB ID 0001831
Problem
These days your trusted root certificates are simply updated with Windows Update, but what if your servers have no internet access? In this example I will manually update the root certs by downloading them on a machine WITH internet access then importing on another machine that has not.
Bear in mind: If none of your machines have internet access they cannot check certificate revocation lists etc – so you may still get some errors. You may want to consider deploying you own internal PKI.
Microsoft PKI Planning and Deploying Certificate Services
Solution: Update Windows Trusted Root Certificates
On a machine that HAS INTERNET ACCESS open an administrative command window and use the following commands.
mkdir c:\trusted-root-certs cd c:\trusted-root-certs Certutil.exe -generateSSTFromWU roots.sst
You can (if you wish) then double click the SST file you’ve just created and (once you expand the folders on the left.) It should look like this.
Now copy that SST file to a machine THAT DOES NOT HAVE INTERNET ACCESS.
Note: I’ve created the same folder (c:\trusted-root-certs) and open an administrative PowerShell window, then issue the following commands.
$sstStore = ( Get-ChildItem -Path c:\trusted-root-certs\roots.sst ) $sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
Of course you may wish to script this if you have many machines to update, and host roots.sst in a central location so you can periodically update it.
Related Articles, References, Credits, or External Links
NA
