Windows root certificate program members

This article provides a download link to a list of the third-party certification authorities (CAs) that are trusted by Microsoft and whose root certificates are distributed via the Microsoft Root Certificate Program. This article provides information on how different versions of Windows update root certificates.

Windows Root Certificate Program Information

Root CAs - Microsoft maintains the list of root certificates distributed by the Microsoft Root Certificate Program on the Program website.
Click the following link to learn more about CAs who are members of the Program:

http://social.technet.microsoft.com/wiki/contents/articles/introduction-to-the-microsoft-root-certificate-program.aspx (http://social.technet.microsoft.com/wiki/contents/articles/introduction-to-the-microsoft-root-certificate-program.aspx)

Root Certificate Program Requirements - For a list of all the current general and technical requirements of the Windows Root Certificate Program, visit the following Microsoft TechNet Web site:

http://social.technet.microsoft.com/wiki/contents/articles/introduction-to-the-microsoft-root-certificate-program.aspx (http://social.technet.microsoft.com/wiki/contents/articles/introduction-to-the-microsoft-root-certificate-program.aspx)

Extended Validation Certificates (EV SSL) - For more information about the support for EV certificates in Internet Explorer 7 and later, visit the following Web site:

http://www.microsoft.com/windows/products/winfamily/ie/ev/default.mspx (http://www.microsoft.com/windows/products/winfamily/ie/ev/default.mspx)

Root Update Package (intended for Windows XP only)

For users who are running Windows XP, the root update package will update the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. The file is updated periodically to add or remove root certificates or CAs from distribution by the Program.

Root Update Package via the Microsoft Download Center

The file is available for download from the Microsoft Download Center:

Update for Root Certificates [April 2012] (KB931125)
Root Update Package via the Microsoft Update Catalog

The root update package is also made available via the Microsoft Update Catalog (http://catalog.update.microsoft.com/v7/site/Home.aspx) , where users can search for and independently download it. Visitors to the Catalog can search on “root update” or the KB article for the Root Certificate Program, “KB931125”, and download the latest Root Update package. Root update packages are cumulative, so it should only be necessary to install the latest one to receive all root certificates in the Program.


For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

How Windows Updates Root Certificates

Microsoft has introduced new root update mechanisms in different versions of Microsoft Windows. These mechanisms have progressively focused on distributing fewer root certificates, but on making distributions as seamless as possible when a root certificate is required and is distributed via the Windows Root Certificate Program. To understand the difference in root update mechanisms, it is most convenient to break Windows versions into two categories:

· OS versions that support automatic root update of individual root certificates, and

· OS versons that rely on an earlier, optional root update package (a package containing all the currently distributed root certificates).

On Windows client SKUs, Windows Vista and later fully support the automatic root update mechanism. Windows XP supports the automatic root update mechanism only partially (see the section “Windows XP” for details). It is recommended that version of Windows prior to Windows Vista download the optional root update package containing all currently distributed root certificates.

Windows Vista, Windows 7

Root certificates on Windows Vista and later are distributed via the automatic root update mechanism – that is, per root certificate. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If it finds it, it downloads the current Certificate Trust List (CTL) containing the list of all trusted root certificates in the Program, and verifies that the root certificate is listed there; it then downloads the specified root certificate to the system and installs it in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, Windows Vista and later client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing or server authentication properties, which are certificate properties added to a root certificate).

For detailed technical information about how Windows updates root certificates in Windows Vista and in later versions, visit the following website:

Windows XP

Windows XP does not fully support the automatic root update mechanism: when a root certificate is already present on a user’s system, it will not be updated even if the copy of the root certificate available on Microsoft Update has changed. Windows XP also does not support the weekly pre-fetching of certificate properties from Microsoft Update feature, and the only way to install new root certificate properties on Windows XP is by installing the root update package.

It is recommended that users running Windows XP download and install the root update package to update their root certificates. Root certificates are delivered for Windows XP via Microsoft Update as an optional root update package – an executable that contains every root certificate that is distributed by the Windows Root Certificate Program. Windows XP users can opt to download the package each time it is updated and presented by Microsoft Update, or they can opt to download the root update packages automatically when they are updated. The optional root update package is updated approximately 3-4 times per year, or every quarter.

For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, visit the following Web site:

http://technet.microsoft.com/en-us/library/bb457160.aspx (http://technet.microsoft.com/en-us/library/bb457160.aspx)

Windows Server 2003, Windows Server 2008, Windows Server 2008 R2

The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partially, equivalent to the support on Windows XP. And since the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs increases significantly in size and may cause the list to grow too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base: 933430 (http://support.microsoft.com/kb/933430/) Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003.

NOTE: These limitations only apply if you have SSL client authentication enabled on Windows Server.

Root Update Package Installation on Disconnected Environments

It is recommended that systems running Windows client or server SKUs in disconnected environments (ex. where the automatic root update mechanism doesn’t work, since connectivity to Microsoft Update is not available) should install the root update package. The root update package will install on Windows Vista and Windows 7 as a workaround in disconnected environments, however it is not recommended that systems that have network connectivity to Microsoft Update install the root update package, since the automatic root update mechanism will work for them.

You can use Group Policy to distribute root certificates to a group of servers in a disconnected environment. Instructions on how to install root certificates using Group Policy are available here:

Windows Server 2003: http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx (http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx)

Windows Server 2008: http://technet.microsoft.com/en-us/library/cc772491.aspx (http://technet.microsoft.com/en-us/library/cc772491.aspx)

Windows Vista includes a set of trusted third-party root certificates in the Crypt32.dll resource file so that these certificates can be used as a fallback when connectivity to Windows Update is not available. When auto root update is triggered, it tries to download the trusted third-party root certificate from the network. In an offline environment, network retrieval fails, and CAPI checks the resources in Crypt32.dll for the root certificate. If the root is present, it is used and installed in the root store. Windows 7 has similar behavior.

If auto root update is disabled, no attempt to retrieve the root is made. Therefore, the roots are not installed. Be aware that the resources in Crypt32.dll include only those certificates that were present in the root program at a time before the OS release. Any root certificates that were added later are not present in the resource, and such certificates are available only through the root-update package.