Viewing the Trusted Root certificates on a Windows system

1. Click on the Windows Start button, type mmc and hit Enter.
2. When prompted "Do you want to allow the following program to make changes to this computer" with the following information displayed, click on the "Yes" button:

   Program name:	Microsoft Management Console
   Verified publisher:	Microsoft Windows

3. Click on File and select Add/Remove Snap-in, then select Certificates and click on the Add button

   

4. A "Certificates snap-in window will open where you can choose from the following three options:

   This snap-in will always manage certificates for:

   • My user account
   • Service account
   • Computer account

   If you are interested in the certificates being used for the currently logged in account, leave the default selection of "My user account" selected and click on Finish and then OK.

   

5. If you click on "Certificates" under "Console Root" in the left pane of the window, you will then see a list under "Logical Store Name" in the middle pane.
   
   
   
   
   

   

   Double-click on "Trusted Root Certification Authorities".

   

6. Double-click on Certificates under the middle pane of the window. You will then see the list of Trusted Root Certification Authorities

   

In the example list of certificates above, one looks suspicious, DO_NOT_TRUST_FiddlerRoot. That one was installed on the system by malware, which set itself up as a proxy server on the system. A certificate, such as that one, can be removed by right-clicking on it and choosing Delete.

Another way to view the list of trusted root certificates is to issue the command certutil -viewstore root at a command prompt. You will see a "Windows Security" window appear similar to the following one:

When I scrolled to the bottom of that list, I saw the dubious DO_NOT_TRUST_FiddlerRoot certificate. If you click on one of the certificates in the list, you will see a "Click here to view certificates properties" link that will show you the same certificate details as can be seen when you click on one of the entries in the list obtained by the above method.

If you wish to view just a particular certificate in the list, you can specify the certificate issuer at the end of the command line, since the format for the viewstore option to the certutil command is certutil -viewstore [CertificateStoreName [CertID [OutputFile]]]. E.g., if I wanted to view just the suspicious one above, I could use the following:

C:\>certutil -viewstore root DO_NOT_TRUST_FiddlerRoot

That would open a window like the one below:

You can also create a .cer file containing the certificate as output from the command as shown below by putting an output file name as the last parameter on the command line following the parameter specifying the certificate issuer:

C:\>certutil -v -viewstore root DO_NOT_TRUST_FiddlerRoot FiddlerRoot.cer
root "Trusted Root Certification Authorities"
Saved certificate CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by htt
p://www.fiddler2.com: FiddlerRoot.cer
CertUtil: -viewstore command completed successfully.

In addition to opening the same window as above, that command creates a copy of the certificate and stores it in FiddlerRoot.cer. I could then right-click on the certificate file and choose "Open" to view details of the certificate or use it elsewhere.

References:

1. Manage Trusted Root Certificates
   Microsoft TechNet
2. How do I view the details of a digital certificate .cer file?
   Posted: December 23, 2010
   Server Fault

 

Justdeals Daily Electronics Deals

Created: Saturday January 10, 2015