Removing Root CAs from the Windows certificate store

In order to emulate how a particular client would behave when it comes to certificate path building, sometimes it is useful to be able to modify the content of a client's trust store. This can help e.g. to understand whether an old client, without a particular root CA certificate in its trust store, will be able to build a trusted path for a given server configuration.

In Windows, the attempt to delete from the certificate store certain root CAs will display a warning:


Selecting "Yes" and proceeding will briefly delete those root CAs from the trusted store but they will reappear shortly after, difficulting testing. This happens regardless of an available connection to the Internet, since this phenomenon does not rely on the Automatic Root Certificates Update mechanism.

In order to remove one of those root CAs and proceed with the testing, we first have to stop the Windows service that restores them, the "Cryptographic Services" service, which includes the "Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the computer":


By default the service runs automatically, but during the testing phase we can switch it to "Manual" and stop it; switching it back to "Automatic" and restarting it afterwards.


 

Comments

Popular posts from this blog

Decoding OCSP GET requests

Signing a CSR with an Enrollment Agent certificate

Compacting an AD CS database