Updating the Windows Root CA store
Windows Root CA certificate store is updated automatically , but there are cases where this is not desirable or possible. In some cases, the Windows CTL Updater functionality might be disabled, e.g. to keep full control over the process on systems where this is a requirement, and in some other cases end systems might lack connectivity to the Microsoft endpoints providing the updates (although these can also be replaced by local endpoints if required). In such cases, a mechanism to update the Windows Root CA store either on-demand or in an offline fashion might be required. The certutil command allows for this, providing 2 useful parameters. The -syncWithWU parameter allows for on-demand update of the Root CA store. This is useful when auto-update is disabled or when troubleshooting the auto-update process (e.g. if we have issues with some Root CA not being present or similar). The certutil command to be run would be: certutil -syncWithWU [DestinationDirectory] Where [DestinationDir