Trusted Root Certification Authorities Certificate Store

Starting with Windows Vista, the Plug and Play (PnP) manager performs driver signature verification during device and driver installation. However, the PnP manager can successfully verify a digital signature only if the following statements are true:

The signing certificate that was used to create the signature was issued by a certification authority (CA).

The corresponding root certificate for the CA is installed in the Trusted Root Certification Authorities certificate store. Therefore, the Trusted Root Certification Authorities certificate store contains the root certificates of all CAs that Windows trusts.

By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Administrators can configure the default set of trusted CAs and install their own private CA for verifying software.

NoteВ В A private CA is unlikely to be trusted outside the network environment.

Having a valid digital signature ensures the authenticity and integrity of a driver package. However, it does not mean that the end-user or a system administrator implicitly trusts the software publisher. A user or administrator must decide whether to install or run an application on a case-by-case basis, based on their knowledge of the software publisher and application. By default, a publisher is trusted only if its certificate is installed in the Trusted Publishers certificate store.

The name of the Trusted Root Certification Authorities certificate store is root. You can manually install the root certificate of a private CA into the Trusted Root Certification Authorities certificate store on a computer by using the CertMgr tool.

NoteВ В The driver signing verification policy that is used by the PnP manager requires that the root certificate of a private CA has been previously installed in the local machine version of the Root Certification Authorities certificate store. For more information, see Local Machine and Current User Certificate Stores.

For more information about driver signing, see Driver Signing Policy.

How to manage Trusted Root Certificates in Windows 10

In one of our earlier posts, we have seen what Root Certificates are. There may be times, when some companies or users may feel the need to manage and configure Trusted Root Certificates, to prevent other users in the domain from configuring their own set. In this post, we will see how to manage Trusted Root Certificates & add certificates to the Trusted Root Certification Authorities store in Windows 10/8/7.

Manage Trusted Root Certificates in Windows 10

To add certificates to the Trusted Root Certification Authorities store for a local computer, from the WinX Menu in Windows 10/8.1, open Run box, type mmc , and hit Enter to open the Microsoft Management Control.

Press the File menu link and select Add/Remove Snap-in. Now under Available snap-ins, click Certificates, and then click Add.

Click OK. In the next dialog box, select Computer account and then on Next.

Now select Local computer and click on Finish.

Now, back in MMC, in the console tree, double-click on Certificates and then right-click on Trusted Root Certification Authorities Store. Under All tasks, select Import.

The Certificate Import Wizard will open.

Follow the instructions in the wizard to complete the process.

Now let us see how to configure and manage trusted root certificates for a local computer. Open MMC and press the File menu link and select Add/Remove Snap-in. Now under Available snap-ins, click Group Policy Object Editor, and then click Add. Select the computer whose local GPO you want to edit, and click Finish / OK.

Now, back in the MMC console tree, navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings. Next Public Key Policies. Double-click Certificate Path Validation Settings, and then select the Stores tab.

Read: Manage certificates using Certificate Manager or Certmgr.msc.

Here, select the Define these policy settings, Allow user trusted root CAs to be used to validate certificates and Allow users to trust peer trust certificates checkboxes.

Finally, under Stores tab > Root certificate stores, select one option under Root CAs that the client computers can trust and click OK. If in doubt, go with the recommended option.

To see how you can manage trusted root certificates for a domain and how to add certificates to the Trusted Root Certification Authorities store for a domain, visit Technet.

RCC is a free Root Certificates Scanner that can help you scan Windows Root Certificates for untrusted ones.

Unable to use Windows SSL trust store #6584

Comments

knolleCC commented Aug 31, 2018

The JRE can be set to use the Windows trust store via javax.net.ssl.trustStoreType=Windows-ROOT .
Gradle seems to have its own trust store handling which does not respect this setting.
As far as I understand the code in DefaultSslContextFactory.java , there always needs to be a trust store file ( javax.net.ssl.trustStore=SOME-FILE ) or code will fall back to use the default JRE files.
Why does gradle not use the Java default method?

Actual problem:
I want to use a maven repository via HTTPS with a special company certificate.

Goal:
Support Windows trust store usage via javax.net.ssl.trustStoreType=Windows-ROOT/MY as the JRE does.

The text was updated successfully, but these errors were encountered:

wendlm commented Sep 28, 2018

We encounter the same problem which is very annoying actually, cause we have to add our own company certificate to the JVM keystore each time we change the JVM.

hbdesiato commented Oct 22, 2018

There is a workaorund: Just set javax.net.ssl.trustStore to any readable regular file. This file will be ignored if you set javax.net.ssl.trustStoreType=Windows-ROOT .

Adding the following lines to your gradle.properties file should work:

TTMaZa commented Apr 4, 2019 •

justin-michel-boeing commented Aug 21, 2019

Setting the trustStore property to the win.ini worked for me, but others on my team now can’t build and are getting IOException: Invalid keystore format

Is anyone acknowledging that this is a bug in gradle, and are there plans to fix it?

Empowerment begins with trust

To create a safer world empowered by digital transformation, we handle your data securely and in compliance with privacy and legal requirements.

“If we can’t protect people, then we don’t deserve their trust.”

—Brad Smith, President and Chief Legal Officer, Microsoft

Principles for maintaining data integrity in the cloud

Security

Learn about how we’re creating a safer world for digital transformation.

Privacy

We believe in the timeless value of privacy and preserve the ability for customers to control their data.

Compliance

We respect local laws and regulations and provide comprehensive coverage of compliance offerings.

Microsoft fully supports our commitment to security and data privacy as defined by internal and customer-driven requirements. This was a major differentiator for us.

Peter Baker, Senior IT Director, EMCOR Group

Empowerment begins with trust

To create a safer world empowered by digital transformation, we handle your data securely and in compliance with privacy and legal requirements.

“If we can’t protect people, then we don’t deserve their trust.”

—Brad Smith, President and Chief Legal Officer, Microsoft

Principles for maintaining data integrity in the cloud

Security

Learn about how we’re creating a safer world for digital transformation.

Privacy

We believe in the timeless value of privacy and preserve the ability for customers to control their data.

Compliance

We respect local laws and regulations and provide comprehensive coverage of compliance offerings.

Microsoft fully supports our commitment to security and data privacy as defined by internal and customer-driven requirements. This was a major differentiator for us.

Peter Baker, Senior IT Director, EMCOR Group