use Import-Certificate (or distribute over GPO).select the certificates I need and export it into an own.certutil -generateSSTFromWU WURoots.sst.Perhaps there is a tool around which would do what I'd need?īesides comparing, is there a simple way to force the root certificates to be updated? do compare serial numbers, thumbprint, etc.do some magic with the PowerShell *CERT* commands (see "Get-Command *CERT*").download the latest root certificates with "certutil -generateSSTFromWU WURoots.sst".
For sure "Turn off Automatic Certificate Update" is not configured on any of those systems and thus the root storage should be updated.Īnyway, is there a simple automated way (or even a slick tool) that would compare the actual installed trusted root certificates on a windows system against the newest trusted root on the internet? I do have a provider that complains the trusted root certificates on our several windows server systems (2008, 2012, 2016, 2019) are outdated.