Which Root CAs do you really trust?

When I ask people which Root CAs they trust, they usually show me the list in Trusted Root Certification Authorities. Like this one, from a freshly installed Windows Server 2012:


But that is actually not the entire truth. If I start Internet Explorer on that computer and go to the SSL-enabled website https://www2.jobs.gov.hk I end up at a job site run by the Hong Kong government:


Everything look OK and I see no warnings or errors regarding certificates or trust.

Let’s look at the certificate for that page:


I apparently trust this end certificate. This must mean that the issuing CA of this certificate, Hongkong Post e-Cert CA 1 – 14, must chain up to one of the trusted CAs I have in the list in the first screenshot, right?

But if I go to the tab Certification Path on the certificate, I see that is it chains up to Hongkong Post Root CA 1:


Hmm, back to the list of trusted CAs and do a refresh. Lo and behold, I do trust Hongkong Post Root CA 1 now. I didn’t in the first screenshot.


What going on here? How did this trusted Root CA suddenly appear in the Trusted Root Certification Authorities store on my computer? Shouldn’t I at least have gotten the usual warning, like this one:


The fact is that you trust more CAs than the ones listed in your Trusted CAs store. A lot more. Today there are a total of 353 Root CAs that a standard Windows installation trusts.

If you go to this site you will get a complete list of all Root CAs that are in the so called Windows and Windows Phone 8 SSL Root Certificate Program. This list is continuously updated, the last CA was added in December 2012:
http://go.microsoft.com/fwlink/?LinkID=269988  (se update below)

Update 2016-03-23:
The link above no longer works, use this instead: http://aka.ms/trustcertpartners

Note that I only used Hongkong Post Office as an example. I might as well have used any of these examples, that you might not have known that you actually already trust:

  • China Internet Network Information Center EV Certificates Root
  • Cisco Root CA 2048
  • Japan Local Government PKI Application CA
  • Root CA    (this is from South Korea)
  • Swedish Government Root Authority v1
  • Staat der Nederlanden Root CA
  • U.S. Government FBCA
  • Visa eCommerce Root
  • etc…

So how does a computer know who to trust other than the ones already listed in the local Store?

When a check is performed to see if a certificate is valid and it encounters a cert that is not in the local trusted CA list it connects to Windows Update to check if it is listed there. If it is, it is added to the local store. If Windows Update is not reachable, a copy of the trusted Root CA certificates are stored in in the file crypt32.dll, but that list is not updated as often/quick as Windows Update. It does however enable you to restore the list of trusted CAs if you deleted them all by mistake and you at that point can’t reach Windows Update.

Many people assume that Windows 7 and newer OS:es trusts fewer CAs than XP, but that is not the case. What is shown is simply the most common and recently verified.

I’m not so sure that it is a good thing to “hide” trusted CAs, it might give people a false sense of security or control. At least it should be absolutely clear in the GUI that what is shown is only a subset. But hey, at least now you and I know it!

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in PKI and tagged , , , , , , . Bookmark the permalink.

2 Responses to Which Root CAs do you really trust?

  1. Pingback: Get a free publicly trusted SSL-certificate | Microsoft Security Solutions

  2. Pingback: x.509 – Is the windows root trust store used by IE? | Artificia Intelligence

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s