Checking suspicious (root CA) certificates











up vote
5
down vote

favorite
2












I was just looking at my certificate store and saw a bunch of root CAs that look kind of suspicious; specifically numerous ones that:




  • have ALL CAPS text

  • use foreign languages/text

  • have extremely long expiration dates

  • include every certificate purpose possible


I strongly believe that some of these are bad (the Intermediate CA list looks clean, only the Root CA list looks bad.) However, there are enough certificates in the store to make investigating each one a real chore. (I see in the Event Log that Windows has not auto-updated the trusted third-party root list for over two weeks.)



Does anyone know of a way to verify certificates and weed out the bad ones (or at least to manually trigger an update)?










share|improve this question




















  • 3




    In the mean-time, I (1) downloaded the latest CA update, (2) manually removed every item from every part of the certificate store, (3) stopped cryptsvc, deleted catroot2, started cryptsvc, and (4) applied the update. Hopefully a less scorched-earth method can be found so that legitimate certificates don't get wiped out like this since they are not included in the update from Mirosoft.
    – Synetech
    Mar 14 '12 at 19:07










  • Think you got yourself an answer.
    – Belmin Fernandez
    Mar 14 '12 at 21:46










  • @BeamingMel-Bin, it’s more of a work-around than a solution. I blasted the whole thing including valid certs that Microsoft doesn’t include. I’m looking more for a program or website that lets you scan or submit certs.
    – Synetech
    Mar 15 '12 at 1:00












  • Hm, perhaps I'm misunderstanding what you meant by "bad ones" since it's all based on trust. Do you mean that you believe some are compromised (i.e., the private key is out in the wild)? Otherwise, seems like cleaning out your current store and adding ones you trust or trust by association (Microsoft trusted and your own) is your only option.
    – Belmin Fernandez
    Mar 15 '12 at 1:37












  • I mean that it looks like a bunch of bad ones have somehow been snuck in there, ones that allow sites and files to be trusted when they shouldn’t, hence the long expiration dates and full-privileges.
    – Synetech
    Mar 15 '12 at 2:49















up vote
5
down vote

favorite
2












I was just looking at my certificate store and saw a bunch of root CAs that look kind of suspicious; specifically numerous ones that:




  • have ALL CAPS text

  • use foreign languages/text

  • have extremely long expiration dates

  • include every certificate purpose possible


I strongly believe that some of these are bad (the Intermediate CA list looks clean, only the Root CA list looks bad.) However, there are enough certificates in the store to make investigating each one a real chore. (I see in the Event Log that Windows has not auto-updated the trusted third-party root list for over two weeks.)



Does anyone know of a way to verify certificates and weed out the bad ones (or at least to manually trigger an update)?










share|improve this question




















  • 3




    In the mean-time, I (1) downloaded the latest CA update, (2) manually removed every item from every part of the certificate store, (3) stopped cryptsvc, deleted catroot2, started cryptsvc, and (4) applied the update. Hopefully a less scorched-earth method can be found so that legitimate certificates don't get wiped out like this since they are not included in the update from Mirosoft.
    – Synetech
    Mar 14 '12 at 19:07










  • Think you got yourself an answer.
    – Belmin Fernandez
    Mar 14 '12 at 21:46










  • @BeamingMel-Bin, it’s more of a work-around than a solution. I blasted the whole thing including valid certs that Microsoft doesn’t include. I’m looking more for a program or website that lets you scan or submit certs.
    – Synetech
    Mar 15 '12 at 1:00












  • Hm, perhaps I'm misunderstanding what you meant by "bad ones" since it's all based on trust. Do you mean that you believe some are compromised (i.e., the private key is out in the wild)? Otherwise, seems like cleaning out your current store and adding ones you trust or trust by association (Microsoft trusted and your own) is your only option.
    – Belmin Fernandez
    Mar 15 '12 at 1:37












  • I mean that it looks like a bunch of bad ones have somehow been snuck in there, ones that allow sites and files to be trusted when they shouldn’t, hence the long expiration dates and full-privileges.
    – Synetech
    Mar 15 '12 at 2:49













up vote
5
down vote

favorite
2









up vote
5
down vote

favorite
2






2





I was just looking at my certificate store and saw a bunch of root CAs that look kind of suspicious; specifically numerous ones that:




  • have ALL CAPS text

  • use foreign languages/text

  • have extremely long expiration dates

  • include every certificate purpose possible


I strongly believe that some of these are bad (the Intermediate CA list looks clean, only the Root CA list looks bad.) However, there are enough certificates in the store to make investigating each one a real chore. (I see in the Event Log that Windows has not auto-updated the trusted third-party root list for over two weeks.)



Does anyone know of a way to verify certificates and weed out the bad ones (or at least to manually trigger an update)?










share|improve this question















I was just looking at my certificate store and saw a bunch of root CAs that look kind of suspicious; specifically numerous ones that:




  • have ALL CAPS text

  • use foreign languages/text

  • have extremely long expiration dates

  • include every certificate purpose possible


I strongly believe that some of these are bad (the Intermediate CA list looks clean, only the Root CA list looks bad.) However, there are enough certificates in the store to make investigating each one a real chore. (I see in the Event Log that Windows has not auto-updated the trusted third-party root list for over two weeks.)



Does anyone know of a way to verify certificates and weed out the bad ones (or at least to manually trigger an update)?







windows-xp security certificate trusted-root-certificates






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 14 '12 at 18:45

























asked Mar 14 '12 at 18:40









Synetech

56.9k29183317




56.9k29183317








  • 3




    In the mean-time, I (1) downloaded the latest CA update, (2) manually removed every item from every part of the certificate store, (3) stopped cryptsvc, deleted catroot2, started cryptsvc, and (4) applied the update. Hopefully a less scorched-earth method can be found so that legitimate certificates don't get wiped out like this since they are not included in the update from Mirosoft.
    – Synetech
    Mar 14 '12 at 19:07










  • Think you got yourself an answer.
    – Belmin Fernandez
    Mar 14 '12 at 21:46










  • @BeamingMel-Bin, it’s more of a work-around than a solution. I blasted the whole thing including valid certs that Microsoft doesn’t include. I’m looking more for a program or website that lets you scan or submit certs.
    – Synetech
    Mar 15 '12 at 1:00












  • Hm, perhaps I'm misunderstanding what you meant by "bad ones" since it's all based on trust. Do you mean that you believe some are compromised (i.e., the private key is out in the wild)? Otherwise, seems like cleaning out your current store and adding ones you trust or trust by association (Microsoft trusted and your own) is your only option.
    – Belmin Fernandez
    Mar 15 '12 at 1:37












  • I mean that it looks like a bunch of bad ones have somehow been snuck in there, ones that allow sites and files to be trusted when they shouldn’t, hence the long expiration dates and full-privileges.
    – Synetech
    Mar 15 '12 at 2:49














  • 3




    In the mean-time, I (1) downloaded the latest CA update, (2) manually removed every item from every part of the certificate store, (3) stopped cryptsvc, deleted catroot2, started cryptsvc, and (4) applied the update. Hopefully a less scorched-earth method can be found so that legitimate certificates don't get wiped out like this since they are not included in the update from Mirosoft.
    – Synetech
    Mar 14 '12 at 19:07










  • Think you got yourself an answer.
    – Belmin Fernandez
    Mar 14 '12 at 21:46










  • @BeamingMel-Bin, it’s more of a work-around than a solution. I blasted the whole thing including valid certs that Microsoft doesn’t include. I’m looking more for a program or website that lets you scan or submit certs.
    – Synetech
    Mar 15 '12 at 1:00












  • Hm, perhaps I'm misunderstanding what you meant by "bad ones" since it's all based on trust. Do you mean that you believe some are compromised (i.e., the private key is out in the wild)? Otherwise, seems like cleaning out your current store and adding ones you trust or trust by association (Microsoft trusted and your own) is your only option.
    – Belmin Fernandez
    Mar 15 '12 at 1:37












  • I mean that it looks like a bunch of bad ones have somehow been snuck in there, ones that allow sites and files to be trusted when they shouldn’t, hence the long expiration dates and full-privileges.
    – Synetech
    Mar 15 '12 at 2:49








3




3




In the mean-time, I (1) downloaded the latest CA update, (2) manually removed every item from every part of the certificate store, (3) stopped cryptsvc, deleted catroot2, started cryptsvc, and (4) applied the update. Hopefully a less scorched-earth method can be found so that legitimate certificates don't get wiped out like this since they are not included in the update from Mirosoft.
– Synetech
Mar 14 '12 at 19:07




In the mean-time, I (1) downloaded the latest CA update, (2) manually removed every item from every part of the certificate store, (3) stopped cryptsvc, deleted catroot2, started cryptsvc, and (4) applied the update. Hopefully a less scorched-earth method can be found so that legitimate certificates don't get wiped out like this since they are not included in the update from Mirosoft.
– Synetech
Mar 14 '12 at 19:07












Think you got yourself an answer.
– Belmin Fernandez
Mar 14 '12 at 21:46




Think you got yourself an answer.
– Belmin Fernandez
Mar 14 '12 at 21:46












@BeamingMel-Bin, it’s more of a work-around than a solution. I blasted the whole thing including valid certs that Microsoft doesn’t include. I’m looking more for a program or website that lets you scan or submit certs.
– Synetech
Mar 15 '12 at 1:00






@BeamingMel-Bin, it’s more of a work-around than a solution. I blasted the whole thing including valid certs that Microsoft doesn’t include. I’m looking more for a program or website that lets you scan or submit certs.
– Synetech
Mar 15 '12 at 1:00














Hm, perhaps I'm misunderstanding what you meant by "bad ones" since it's all based on trust. Do you mean that you believe some are compromised (i.e., the private key is out in the wild)? Otherwise, seems like cleaning out your current store and adding ones you trust or trust by association (Microsoft trusted and your own) is your only option.
– Belmin Fernandez
Mar 15 '12 at 1:37






Hm, perhaps I'm misunderstanding what you meant by "bad ones" since it's all based on trust. Do you mean that you believe some are compromised (i.e., the private key is out in the wild)? Otherwise, seems like cleaning out your current store and adding ones you trust or trust by association (Microsoft trusted and your own) is your only option.
– Belmin Fernandez
Mar 15 '12 at 1:37














I mean that it looks like a bunch of bad ones have somehow been snuck in there, ones that allow sites and files to be trusted when they shouldn’t, hence the long expiration dates and full-privileges.
– Synetech
Mar 15 '12 at 2:49




I mean that it looks like a bunch of bad ones have somehow been snuck in there, ones that allow sites and files to be trusted when they shouldn’t, hence the long expiration dates and full-privileges.
– Synetech
Mar 15 '12 at 2:49










2 Answers
2






active

oldest

votes

















up vote
0
down vote













You can have a look at Debian's list of certificates, and weed out the ones that are not there; then apply the latest Microsoft CA update and add the ones you have installed manually. But as Debian says:




Please note that certificate authorities whose certificates are
included in this package are not in any way audited for
trustworthiness and RFC 3647 compliance, and that full responsibility
to assess them belongs to the local system administrator.







share|improve this answer





















  • I had already tried deleting all of the certs and installing the latest update, but it didn’t help.
    – Synetech
    Aug 28 '12 at 15:30


















up vote
0
down vote













You can quickly find out which ones weren't included originally by running sigcheck sigcheck.exe -tv *, which compares the root CA in your local computer against a list it downloads from Microsoft. Then it outputs the difference. Those certs which didn't come from Microsoft must have been introduced by yourself or a piece of software (i.e. antivirus for ssl inspection). In my case there was only one I didn't recognize and immediately disabled it.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f400758%2fchecking-suspicious-root-ca-certificates%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    You can have a look at Debian's list of certificates, and weed out the ones that are not there; then apply the latest Microsoft CA update and add the ones you have installed manually. But as Debian says:




    Please note that certificate authorities whose certificates are
    included in this package are not in any way audited for
    trustworthiness and RFC 3647 compliance, and that full responsibility
    to assess them belongs to the local system administrator.







    share|improve this answer





















    • I had already tried deleting all of the certs and installing the latest update, but it didn’t help.
      – Synetech
      Aug 28 '12 at 15:30















    up vote
    0
    down vote













    You can have a look at Debian's list of certificates, and weed out the ones that are not there; then apply the latest Microsoft CA update and add the ones you have installed manually. But as Debian says:




    Please note that certificate authorities whose certificates are
    included in this package are not in any way audited for
    trustworthiness and RFC 3647 compliance, and that full responsibility
    to assess them belongs to the local system administrator.







    share|improve this answer





















    • I had already tried deleting all of the certs and installing the latest update, but it didn’t help.
      – Synetech
      Aug 28 '12 at 15:30













    up vote
    0
    down vote










    up vote
    0
    down vote









    You can have a look at Debian's list of certificates, and weed out the ones that are not there; then apply the latest Microsoft CA update and add the ones you have installed manually. But as Debian says:




    Please note that certificate authorities whose certificates are
    included in this package are not in any way audited for
    trustworthiness and RFC 3647 compliance, and that full responsibility
    to assess them belongs to the local system administrator.







    share|improve this answer












    You can have a look at Debian's list of certificates, and weed out the ones that are not there; then apply the latest Microsoft CA update and add the ones you have installed manually. But as Debian says:




    Please note that certificate authorities whose certificates are
    included in this package are not in any way audited for
    trustworthiness and RFC 3647 compliance, and that full responsibility
    to assess them belongs to the local system administrator.








    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Aug 28 '12 at 10:34









    tricasse

    49238




    49238












    • I had already tried deleting all of the certs and installing the latest update, but it didn’t help.
      – Synetech
      Aug 28 '12 at 15:30


















    • I had already tried deleting all of the certs and installing the latest update, but it didn’t help.
      – Synetech
      Aug 28 '12 at 15:30
















    I had already tried deleting all of the certs and installing the latest update, but it didn’t help.
    – Synetech
    Aug 28 '12 at 15:30




    I had already tried deleting all of the certs and installing the latest update, but it didn’t help.
    – Synetech
    Aug 28 '12 at 15:30












    up vote
    0
    down vote













    You can quickly find out which ones weren't included originally by running sigcheck sigcheck.exe -tv *, which compares the root CA in your local computer against a list it downloads from Microsoft. Then it outputs the difference. Those certs which didn't come from Microsoft must have been introduced by yourself or a piece of software (i.e. antivirus for ssl inspection). In my case there was only one I didn't recognize and immediately disabled it.






    share|improve this answer

























      up vote
      0
      down vote













      You can quickly find out which ones weren't included originally by running sigcheck sigcheck.exe -tv *, which compares the root CA in your local computer against a list it downloads from Microsoft. Then it outputs the difference. Those certs which didn't come from Microsoft must have been introduced by yourself or a piece of software (i.e. antivirus for ssl inspection). In my case there was only one I didn't recognize and immediately disabled it.






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        You can quickly find out which ones weren't included originally by running sigcheck sigcheck.exe -tv *, which compares the root CA in your local computer against a list it downloads from Microsoft. Then it outputs the difference. Those certs which didn't come from Microsoft must have been introduced by yourself or a piece of software (i.e. antivirus for ssl inspection). In my case there was only one I didn't recognize and immediately disabled it.






        share|improve this answer












        You can quickly find out which ones weren't included originally by running sigcheck sigcheck.exe -tv *, which compares the root CA in your local computer against a list it downloads from Microsoft. Then it outputs the difference. Those certs which didn't come from Microsoft must have been introduced by yourself or a piece of software (i.e. antivirus for ssl inspection). In my case there was only one I didn't recognize and immediately disabled it.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 28 at 23:30









        darmual

        5611




        5611






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f400758%2fchecking-suspicious-root-ca-certificates%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            Origin of the phrase “under your belt”?