Windows Update has a download for âWindows Root Certificatesâ. It was not critical and I did not know what it was. So a long time
ago, I did not download it and turned the download off.
A search on Google gives me differing information on whether Windows Root Certificates are good or bad, or maybe even
dangerous?
What are Windows Root Certificates and should I download and install them?
Root Certificates are one of the fundamental pieces of public key cryptography used by browsers and other services to validate
certain types of encryption. For example, the root certificates are used whenever you connect via an https connection to make sure
that youâre connecting to who you think you are.
]]>
As usual, I have to throw out this disclaimer to keep the pedants at bay: this is of necessity, an over simplification. Iâm not trying to cover the nitty gritty details, just explain the general concepts.
Iâm also going to be tossing the terms âkeyâ and âcertificateâ around kinda loosely. While there are technical differences, again for the purposes of this discussion thatâs irrelevant.
âą
First, a little diversion into âpublic key cryptographyâ.
By now youâre probably already aware of âsymmetric key cryptographyâ â thatâs where you use a single key or password to scramble or encrypt some data. Only with that same key or password can you unscramble the data back into its original form. While itâs in its encrypted form the data is unrecognizable.
âAsymmetric key cryptographyâ relies on some very complicated (and pretty cool) math to generate
two keys: Iâll call them âAâ and âBâ. Anything you encrypt with A can only be decrypted with B, and anything
encrypted with âBâ can only be decrypted with âAâ. And yes, Iâll admit that itâs kind of magical that such a thing is even
possible. 
âPublic key cryptographyâ makes one of those two keys public and available to anyone, and keeps the other key private and secret. In fact, hereâs public key I use. Thatâs important because:
-
Anything you encrypt using my public key is something that only I can decrypt. You want to make sure that Iâm the only person who can see something? Encrypt it using my public key.
-
Anything I encrypt using my private key is something that can be decrypted by anyone, but it can only be decrypted using my public key. Thatâs useful, because if you can successfully decrypt something using my public key then you know that only I could have encrypted it.
I want to reiterate that second point again because itâll be important in whatâs to come: if I encrypt something with my private key, you can absolutely confirm that only I could have encrypted it by using my public key.
âą
Next, we need to talk a little about âcryptographic signingâ.
Letâs say I create a message, and I encrypt it using my private key. When I send you the message I send both the unencrypted and encrypted versions.
You might call the version encrypted with my private key my âsignatureâ because it can prove two things:
-
if you can decrypt it using my public key, youâve proven that the message could only have been encrypted with my private key â in other words, youâve proven that the message came from me
-
if the message you decrypt matches the unencrypted version, then youâve proven that the unencrypted version was not tampered with or altered between the time I sent it and the time you saw it
(In practice itâs not the entire message thatâs encrypted, but rather a mathematical âhashâ of the message â a calculated number thatâs much smaller in size but that can serve the same validation purpose.)
âą
So hereâs a question: how do you know that my public key is, in fact, my public key and not a fake?
Thatâs the dilemma that secure websites face when they use public key cryptography to secure their connections. It works like this:
-
Your browser contacts the remote secure site saying âletâs talk, securelyâ.
-
The remote site says âsure, hereâs my public key so we can encrypt thingsâ
-
Your browser encrypts the rest of the information it sends using that public key so that only that web site can decrypt it.
How do you know that the site you connected to in the first step is who you think it is? They gave you a public key that might well claim to be them, but they could be faking it.
The answer is that the public key is, itself signed by a âcertificate authorityâ.
When I created https://secure.pugetsoundsoftware.com I engaged with a company â Equifax â to generate the public and private keys that the site would use to encrypt the connection. (There are several companies that do this.) After validating who I was, they then signed the public key â that is, they encrypted my public key using their private key, and included both the unencrypted and encrypted versions of my public key in the result.
Now, letâs look at that https conversation in a little more detail:
-
Your browser contacts the remote secure site saying âletâs talk, securelyâ.
-
The remote site says âsure, hereâs my public key so we can encrypt thingsâ
-
Your browser then decrypts and checks the signature included with that public key. If that works, and the key was signed by someone your browser knows is a trusted signer, then that public key could only have come from the actual site it claimed to have come from and no other. You know with certainty who youâre talking to.
-
Your browser encrypts the rest of the information it sends using that public key so that only that web site can decrypt it.
âBut waitâ, I hear you saying, âdonât you need a public key to decrypt the signature in that third step?â
Yes. Yes you do.
Thatâs a root certificate.
Windows and your browser securely maintain a predefined set of public keys on your machine for each of the official certificate authorities. When your browser establishes a new https connection it validates the signature on the public key it gets from the site using one of those trusted root certificates.
The reason that Windows manages the root certificates is that it needs to be done securely. Itâs important that only official and trusted root certificates are made available on your machine. You donât want to be trying to get them âon the flyâ off the internet as you need them either, because of the potential for malicious interception. They need to be securely maintained and placed on your machine by Windows Update, or by some other authority charged with the responsibility.
As I said, there are actually several certificate authorities. I happened to use Equifax, a more recognizable name might be VeriSign, but in reality there are well over 100.
And, the list changes from time to time as authorities update their own certificates, and authorities are added to or removed from the list. Hence the âRoot Certificate Updateâ youâll occasionally see in Windows Update.
Thank you for that excellent explanation. Iâve never understood that stuff. SoâŠyou neglected to spell it out explicitly, but itâs pretty obvious. In answer to your questionerâs question, yes, it sounds like you should download and install them.
I notice they are not mandatory downloads. Are they ever mandatory and if not, why? This seems as critical an update as any security update.
01-Oct-2009
Thank you for the excelent explaination of this process. Iâm in net+ training and prepping for the test. Now it all makes sense.
Iâm missing the part where your web site receives public + private key from the CA and uses the private key to decrypt the message from the browser?
hi,
that is reasonably well explained, but just to be complete: Does windows update use a secure way to send you their root certificates (and other updates)? It might be worth mentioning, cause anyone attempting to understand this should immediately wonder about this, lest they have not understood it.
11-Jul-2010
Leo â
What a fascinating article! Now I know that I should download at least one of the non-high priority Microsoft Updates.
Question #1: In the second bullet point under the section for âcryptographic signing,â why is it necessary (or even beneficial) to match the decrypted version with the unencrypted version â why not just go with the decrypted version as the genuine version? Wouldnât this skip a step where something can go wrong in the verification of a public key?
Question #2: Early in the Microsoft Update process, a brief message flashes on my PC XP screen that says in part: âIf you see an ActiveX warning, make sure the control is digitally signed by Microsoft before installing it or allowing it to run.â Based on this article, it seems like I can ignore this message because it is the PC browser â not the user â that does the verification of the digital signature. Is this correct?
ThanksâŠ
Really good article at explaining the use and need for certificates. the problem I am having is actually finding and updating my certificates on an old XP when the windows update wonât install because I donât have the certificate and I canât get the certificate because the windows update wonât install because i donât have a certificate and I canât get a certificate because the windows update wonât installâŠ.this circular problem is driving me crazy. i even tried importing certificates from a newer updated version of XP and I still get an error message when trying to install adobe flash or windows installer. Is there another article where this issue is addressed? Iâve tried the microsoft site and what they recommend (importing certificates) still doesnât help. Thanks
I always thought public keys are only used to to encrypt the message which can be only decrypted by the corresponding private key. But above, during the signing process you are saying that Root CA public key is used to decrypt the âencrypted public keyâ that was received as part of the certificate. I know what you have said is correct..but Iâm not able to understand..it..can you please take a moment to explain..!
Perfect , now I understand what root cert is.
-good job.
-Atul
What happens if I delete them all from chrome? Will the ones I still want ask to come back? Iâd like to clear my settings to troubleshoot for malware.
11-Jul-2012
Nice article. I have a question â if some root CA published its certificate on the site (without) https, should I trust them?
16-Apr-2013