Manually Update Windows Trusted Root Certificates

Manually Update Windows Trusted Root Certificates KB ID 0001831


These days your trusted root certificates are simply updated with Windows Update, but what if your servers have no internet access? In this example I will manually update the root certs by downloading them on a machine WITH internet access then importing on another machine that has not.

Bear in mind: If none of your machines have internet access they cannot check certificate revocation lists etc – so you may still get some errors. You may want to consider deploying you own internal PKI.

Microsoft PKI Planning and Deploying Certificate Services

Solution: Update Windows Trusted Root Certificates

On a machine that HAS INTERNET ACCESS open an administrative command window and use the following commands.

mkdir c:\trusted-root-certs
cd c:\trusted-root-certs
Certutil.exe -generateSSTFromWU roots.sst

Export all Trusted Root Certificates

You can (if you wish) then double click the SST file you’ve just created and (once you expand the folders on the left.) It should look like this.

Exported all Trusted Root Certificates

Now copy that SST file to a machine THAT DOES NOT HAVE INTERNET ACCESS.

Note: I’ve created the same folder (c:\trusted-root-certs) and open an administrative PowerShell window, then issue the following commands.

$sstStore = ( Get-ChildItem -Path c:\trusted-root-certs\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

Import all Trusted Root Certificates

Of course you may wish to script this if you have many machines to update, and host roots.sst in a central location so you can periodically update it.

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *