Update root certificates offline

Update root certificates offline

Reading time 2 Minutes

Update Microsoft Roots offline

Usually, the root certificates are updated weekly as part of an automatism.

Microsoft manages a repository as part of the "Microsoft Trusted Root Certificate Program". We download the certificates from this repository and package them in an sst (Serialized Certificate Store File) file.

With the help of the command line and the command certutil we now create this offline sst file.

certutil.exe -generateSSTFromWU roots.sst

Update Microsoft Roots offline

Import certificates based on an existing sst file:

The sst (Serialized Certificate Store File) file can now be distributed and imported to any computer without Internet access.

$ sst = (Get-ChildItem -Path C: \ Temp \ roots.sst)
$ sst | Import-Certificate -CertStoreLocation Cert: \ LocalMachine \ Root

Update root certificates offline

optional:

Get-Childitem cert: \ LocalMachine \ root | format-list
Get-ChildItem cert: \ LocalMachine \ root | Where {$ _. NotAfter -lt (Get-Date) .AddDays (90)}

Alternatively using a stl file. This is updated by MS every 2 months.

Download:

https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Import via CMD:

certutil -addstore -f root authroot.stl

Powershell import:

$ sst = (Get-ChildItem -Path C: \ Temp \ roots.sst)
$ sst | Import-Certificate -CertStoreLocation Cert: \ LocalMachine \ Root

Alternatively, you can download the certificate files directly

Download:

certutil -syncWithWU -f \\ DC10 \ roots

Instructions and GPO for download

SHA256: 2ED90DE640A0BE75CA4C353D0489DD416914D1D4B38F6468A17D99640EAA4B98

Update root certificates offline

Microsoft Windows - Update root certificates