How To Install/Update Root Certificates In Windows 11 (2023)

Root Certificates are embedded within our operating system all around. These are also known as Trusted Root Certificates, created by the Certificate Authority (CA), accrediting that a website or software is who they claim they are. It is more like a digital certificate of authentication

By default, Windows 11 updates its root certificate over the internet through Windows Update at least once a week through a Trusted Root Certificate List (CTL). However, if your device is not connected to the internet, certificates will likely expire over time, thus causing certain scripts and applications to not function properly, or experience problems while browsing the internet.

Let us help you avoid this problem by showing you how to update your system’s Root Certificates.

Before we begin, let us guide you on how to see and manage the Root Certificates on Windows 11 and find out which certificates are expired or about to expire.

View trusted root certificates using the Certificate MMC

Windows comes with various Management Consoles that are used for managing different aspects of the operating system. One of these consoles is the Certificate Management Console.

This is a convenient way to view and manage Root Certificates if you prefer the Graphical User Interface (GUI). Otherwise, you can also obtain the relevant information through Windows PowerShell, which we have discussed in the next section.

Follow the steps below to launch the Certificate Management Console:

  1. Start by typing in mmc.exe in Run to launch Microsoft Management Console.
  2. From the top menu, click File and then click Add/remove snap-in.
  3. From the pop-up window, select Certificates under “Available Snap-ins” and then click Add.
  4. In the next window, select Computer account and click Next.
    How To Install/Update Root Certificates In Windows 11 (3)
  5. Leave the default setting on the next page and click Finish.
    How To Install/Update Root Certificates In Windows 11 (4)
  6. Back in the Add/Remove Snap-in window, click OK.
  7. Now, on the console, navigate to the following using the left pane:
    Certificates (Local Computer) >> Trusted Root Certification Authorities >> Certificates

Here, you can view all the active and expired Root Certificates on your machine in the middle pane. It also states CA under the “Issued by” column, as well as the expiry date in another column.

View trusted root certificates using Windows PowerShell

Another way to obtain the information on the Root Certificates is through PowerShell. Run the following command in Windows PowerShell with administrative privileges to obtain the details:

Get-Childitem cert:\LocalMachine\root |format-list

As you may notice, this command provides the details on all Root Certificates, which may be a bit overwhelming for some. If you want the details on the expired certificates, use the following command:

(Video) How to manage Trusted Root Certificates in Windows

Get-ChildItem cert:\LocalMachine\root | Where {$_.NotAfter -lt (Get-Date).AddDays(40)}

Now that you know how to manage the Root Certificates, let us update them.

Update root certificates from a remote computer

One way to update the Root Certificate(s) is to copy a valid certificate from another computer that is already installed, and then re-install it on your device. The process is simple as Windows is already equipped to export and import Root Certificates. However, to do this, make sure that both the source and the destination operating systems are the same.

We have divided this method into “Exporting a Root Certificate” and “Importing a Root Certificate” for your convenience.

Export Root Certificates

You need to begin by identifying the certificate that you need to update. Once done, follow the steps below to export the certificate:

  1. Open the Certificate Management Console on the source computer (as discussed earlier in this post).
  2. From there, right-click on the certificate that you want to move to another device, expand All Tasks from the context menu, and then click Export.
    How To Install/Update Root Certificates In Windows 11 (8)
  3. The Certificate Export Wizard will now be open. On the welcome screen, click Next.
  4. Click Next on the next screen while leaving the default settings.
  5. On the next screen, click Browse and save the .cer file with a name of your choice, then click Next.
  6. On the final screen, confirm the settings and click Finish. Then click Ok on the confirmation dialog box.

You will now see the exported .cer file at the destination you chose in step 5. Copy this file onto a USB flash drive and plug it into the target system for the Root Certificate to be installed.

Import Root Certificates

Now paste the .cer file from the flash drive to anywhere with the OS and follow the steps below to import it.

  1. Open the Certificate Management Console on the source computer and navigate to the Certificates folder from the left pane.
  2. Right-click Certificates, expand All Tasks, and click Import from the context menu.
  3. On the welcome screen of Certificate Import Wizard, click Next.
  4. Click Browse on the next screen and select the .cer file which has been exported from another computer, then click Next.
  5. Now select “Automatically select the certificate store based on the type of certificate” and click Next.
  6. On the final screen of the wizard, click Finish.

The certificate will now be updated on your computer which you can see through the Certificate Management Console.

Another way to install this exported certificate is directly through the .cer file. Double-click the .cer file to launch it. From the certificate, click Install Certificate.

The Certificate Import Wizard will now be launched. From there, select Local Machine as the Store Location and then click Next.

The remaining steps for importing the certificate are the same as we had discussed above.

(Video) How to Import Certificate in Trusted Root Certification Authorities in Windows

From an SST File

Serialized Certificate Store Format (SST) files are certificates created directly from a CA. An SST file contains certificates used to authenticate the identities of websites, apps, and programs.

The SST file can be downloaded on demand from Microsoft using Windows Update so you may have all the latest certificates at once.

Let us show you how to download the file, and then discuss different methods to install it.

Download Latest Root Certificates for Windows

Downloading the latest SST file with the latest Root Certificates is easy. Begin by creating a new folder using File Explorer where the SST file will be stored. Then, launch the Command prompt with administrative privileges and navigate to the empty folder you have created using the command below.

cd /d "PathToFolder"

This is where the SST file will be downloaded. Replace PathToFolder with the complete path of the empty folder, as in the example below.

Now run the following command to download the latest certificates in an SST file:

certutil.exe -generateSSTFromWU roots.sst

You will now find that the SST file has been downloaded. This file contains all the latest Root Certificates. You can now install them all at once, or one-by-one (only the ones that are required).

Install All Certificates using SST File

Once you open the downloaded roots.sst file, you will see that it holds many certificates. In our case, it holds 436 files. These can all be installed instantly using Windows PowerShell. Here is how:

  1. Open PowerShell with administrative privileges.
  2. Now run the following command while replacing CertPath with the complete path to the downloaded SST file:
    $sstStore = ( Get-ChildItem -Path <em>CertPath</em>\roots.sst)
  3. Next, paste the following command to import all the certificates on your PC:
    $sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

You will now find that the certificates have been imported to your machine from the downloaded SST file. You can verify this through the Certificate Management Console.

Install Individual Root Certificates using SST File

Another method to install the Root Certificates from an SST file is one-by-one. This may take a while, but the method can only be used when you wish to install specific certificates.

(Video) How to install a Trusted Root CA certificate on Windows

To do so, run the SST file by double-clicking on it. It will open in an identical console to MMC. From there, you can export a certificate and then import it on the local machine using the method we have already discussed above.

Alternatively, you can also double-click on the certificate and install it directly.

From an STL File

Serialized Certificate Trust List (STL) files also contain Root Certificates, but the file formatting is different than an SST file. Microsoft maintains an STL file you can download to obtain the latest Root Certificates for your Windows. The STL is updated twice a month.

Download Latest STL File

Once downloaded, extract its content using a third-party compression/decompression tool. The extracted folder should now contain only one STL file. You may then proceed to import the file using Command Line Interface (CLI).

Launch the Command Prompt with administrative privileges and navigate to the extracted folder using the Change Directory command:

cd /d "PathToExtracted"

Replace PathToExtracted with the complete path to the extracted folder, as in the following example:

Now paste the following command to import the certificates within the STL file.

certutil -addstore -f root authroot.stl

You can now confirm that the latest certificates have been installed using the Certificate Management Console.

Final Thoughts

Although it may not seem like it, a Root Certificate is essential for your daily work on a PC, as it is making authorization handshakes and trust with other components in the background while you continue with your work.

(Video) How To Install Microsoft Root Certificate

However, once a certificate has expired, it can be safely deleted, as it is no longer valid. That said, we recommend that you install a new, valid certificate in its place before removing the old one.

Also see:

  • How to Convert DMG to ISO in Windows
  • How to Install Windows Updates from MSU and CAB files
  • 8 Ways to Get List of Installed Programs For Backup in Windows
  • How To Enable/Restore Windows Photo Viewer In Windows 11/10
  • How to Add Programs to Startup in Windows 11/10

Subhan Zafar

Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).


How do I update Certificates in Windows 11? ›

Now, back in the MMC console tree, navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings. Next Public Key Policies. Double-click Certificate Path Validation Settings, and then select the Stores tab. Read: Manage certificates using Certificate Manager or Certmgr.

How do I update my expired root certificate? ›

If you are impacted by an expired root CA certificate, you have two options: 1) re-install the certificate or 2) get a new certificate from a different CA. The first option varies from client to client, with some taking only a few minutes to fix the issue, while others face bugs and errors along the way.

How do I renew my expired root certificate? ›

Open the Certificate Authority utility in Administrative Tools. Right click the Root CA name and select All Tasks. Select Renew CA Certificate. It will ask if it is ok to stop the Certificate Services.

How do I enable root certificates update? ›

Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings. 5. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK. 6.

How to install root certificate? ›

To install a CA root certificate:
  1. In your browser, go to the options where you manage certificates. ...
  2. Click Import and select the CA's root certificate. ...
  3. In Internet Explorer, use the Browse button to enter Trusted Root Certification Authorities in the Certificate Store field.

How do I manually update a certificate? ›

  1. Generate a Certificate Signing Request (CSR)
  2. Select your SSL certificate.
  3. Select the validity (1-year or 2-year)
  4. Fill up all necessary details.
  5. Click on the Continue button.
  6. Review your SSL order.
  7. Make the payment.
  8. Deploy your SSL certificate on the server.

How do root certificates get updated? ›

The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. Usually, a client computer polls root certificate updates one time a week. After you apply this update, the client computer can receive urgent root certificate updates within 24 hours.

Where are root certificates stored in Windows 11? ›

This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root. This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

How do I view certificates in Windows 11? ›

To view certificates for the local device
  1. Select Run from the Start menu, and then enter certlm. msc. The Certificate Manager tool for the local device appears.
  2. To view your certificates, under Certificates - Local Computer in the left pane, expand the directory for the type of certificate you want to view.
Sep 15, 2021


1. how to Install an Enterprise Root Certificate Authority | Windows 11/10
(Raheel Ali Official)
2. Automatically update root certificates on Windows 10
3. 6: Exporting Root CA Certificate (Windows 10)
4. Install Enterprise Root Certificate Authority on Windows Server 2022!
5. How to Install an SSL/TLS Certificate on Microsoft IIS
6. How to Fix Software Installation Error in Windows 11 Fail Can’t Install
Top Articles
Latest Posts
Article information

Author: Dan Stracke

Last Updated: 20/05/2023

Views: 6243

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.